Hi,
I configured Http Event collector(EC) in my local through GUI (generated token,created index and source type) and in the backend splunk_httpinput app local got created with inputs.conf.
[http://test]
disabled = 0
index = testindex
indexes = testindex
source = testtt
sourcetype = testst
token = 8111111111111*********
and from command prompt if I run the below curl command
C:\Program Files\cURL>curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*********" -d "{\"event\":\"Breakfast Order\"} {\"event\":{\"coffee\":\"double cream double sugar\",\"muffin\":\"blueberry\",\"juice\":\"none\"}}" I can see the events in searchhead.
My question is how to override the sourcetype and index. through curl commands?
According to http://dev.splunk.com/view/event-collector/SP-CAAAE6P you can set special keys in your JSON next to the event to set metadata.
According to http://dev.splunk.com/view/event-collector/SP-CAAAE6P you can set special keys in your JSON next to the event to set metadata.
Both your payloads aren't one JSON object. It should be something like ... -d '{"event":"hello world", "sourcetype": "hello", "index": "abc"}'
.
Hi Miller,
Now it is working.I tried like this in windows.
curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk D87*D-F645-D-A7E4-EAAD8FC6" -d "{\"time\": 1437522387,\"host\": \"localhost1\",\"source\": \"testapp1\",\"sourcetype\":\"testapp1\",\"index\":\"testindexxxxxx\",\"event\": {\"message\": \"Something happened1\",\"severity\": \"WARN\"}}"
Thanks.
Here's a quote from that page:
Examples
Following are several examples of HTTP Event Collector data packets:
{
"time": 1426279439, // epoch time
"host": "localhost",
"source": "datasource",
"sourcetype": "txt",
"index": "main",
"event": { "hello": "world" }
}
In your question you've only set the event
property.
Hi Martin,
I tried below 2 command in my local windows it is not getting executed.
1)curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk D87D-F645-**D-A7E4-EA*AD8FC6" -d "{\"event\":\"Breakfast Order\"}{"time": 1426279439,"host": "localhost","source": "datasource","sourcetype": "hello","index": "abc","event": { "hello": "world" }"
2) curl -k -H "Authorization: Splunk D87D-F645-**D-A7E4-EA*AD8FC6" https://localhost:8088/services/collector/event -d '{"event":"hello world"}{"sourcetype": "hello","index": "abc"}'
Can you please correct the query if i am wrong .Thanks for your help.
Hi Martin,
Thanks for you reply.
My question is how to override or set source,sourcetype through curl.Can you give me an example curl command to set or override.