I'm trying to send data fetched via application TA-Webtools to Splunk HEC using following command -
curl method=post uri=https://localhost:8088/services/collector/event
user=Splunk pass=mytoken
data="{"event":"hello"}"
and getting error 400 - TEXT: {"text":"Invalid data format","code":6,"invalid-event-number":0}
Any ideas what I'm missing?
https://splunkbase.splunk.com/app/4146/
Please see if the new version of the app addresses your issue.
Can you try :
data="{'event': 'hello'}"
that's what I was trying initially. same error.
it is weird, because if I use collector\raw instead collector\event I'm not getting an error it displays success.
Can you try :
curl -k https://input-<host>:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"Hello, World!"}'
Wrong curl @p_gurav
Try the app and see what we’re talking about though. It’s called TA-Webtools
Hey Nini,
Try putting your data field in single quotes
data=‘{....}’
Thanks, I tried that but still getting the same error.
Which version of the app do you have?
version 1.3
First, the format of the data you are sending to the http event collector appears to be wrong. From the rest documentation you should be posting a payload like this:
'{"sourcetype":"access", "source":"/var/log/access.log", "event": {"message":"Access log test message"}}’
However, you also need to pass the API token in your authorization header and I do apologize but there’s currently no way to do that with the curl SPL command. It seems it’s working fine with your user/pass approach though. So maybe it will work when you update the event format you’re sending to the endpoint.
See the documentation for services/collector endpoint here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/RESTREF/RESTinput#services.2Fcollector.2Fevent
Thanks.
Just want to ask a clarifying question.
using this app I'm successfully making a GET request and taking info (json)
as a next step withing the same search I need to send this data to HEC. So this functionality is not available at this moment?
It appears the post requires auth headers which you can’t manipulate much using the curl command.
You can try adding splunkauth=true to the post command and formatting the event data as the API expects.
If it works, let us know. I would test but I’m not in my office today.
Did you know that you can log an event as an alert action?
http://docs.splunk.com/Documentation/Splunk/7.0.3/Alert/LogEvents