Solved: How to over ride sourcetype using curl command fo...

mprreddy51 · ‎03-28-2016

Hi,

I configured Http Event collector(EC) in my local through GUI (generated token,created index and source type) and in the backend splunk_httpinput app local got created with inputs.conf.

[http://test]
disabled = 0
index = testindex
indexes = testindex
source = testtt
sourcetype = testst
token = 8111111111111*********

and from command prompt if I run the below curl command

C:\Program Files\cURL>curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*********" -d "{\"event\":\"Breakfast Order\"} {\"event\":{\"coffee\":\"double cream double sugar\",\"muffin\":\"blueberry\",\"juice\":\"none\"}}" I can see the events in searchhead.

My question is how to override the sourcetype and index. through curl commands?

martin_mueller · ‎03-28-2016

According to http://dev.splunk.com/view/event-collector/SP-CAAAE6P you can set special keys in your JSON next to the event to set metadata.

View solution in original post

martin_mueller · ‎03-28-2016

According to http://dev.splunk.com/view/event-collector/SP-CAAAE6P you can set special keys in your JSON next to the event to set metadata.

martin_mueller · ‎03-29-2016

Both your payloads aren't one JSON object. It should be something like ... -d '{"event":"hello world", "sourcetype": "hello", "index": "abc"}'.

mprreddy51 · ‎03-29-2016

Hi Miller,

Now it is working.I tried like this in windows.

curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk D87*D-F645-D-A7E4-EAAD8FC6" -d "{\"time\": 1437522387,\"host\": \"localhost1\",\"source\": \"testapp1\",\"sourcetype\":\"testapp1\",\"index\":\"testindexxxxxx\",\"event\": {\"message\": \"Something happened1\",\"severity\": \"WARN\"}}"

Thanks.

martin_mueller · ‎03-28-2016

Here's a quote from that page:

Examples

Following are several examples of HTTP Event Collector data packets:

{
    "time": 1426279439, // epoch time
    "host": "localhost",
    "source": "datasource",
    "sourcetype": "txt",
    "index": "main",
    "event": { "hello": "world" }
}

In your question you've only set the event property.

mprreddy51 · ‎03-29-2016

Hi Martin,

I tried below 2 command in my local windows it is not getting executed.

1)curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk D87D-F645-**D-A7E4-EA*AD8FC6" -d "{\"event\":\"Breakfast Order\"}{"time": 1426279439,"host": "localhost","source": "datasource","sourcetype": "hello","index": "abc","event": { "hello": "world" }"

2) curl -k -H "Authorization: Splunk D87D-F645-**D-A7E4-EA*AD8FC6" https://localhost:8088/services/collector/event -d '{"event":"hello world"}{"sourcetype": "hello","index": "abc"}'

Can you please correct the query if i am wrong .Thanks for your help.

mprreddy51 · ‎03-28-2016

Hi Martin,

Thanks for you reply.

My question is how to override or set source,sourcetype through curl.Can you give me an example curl command to set or override.

How to over ride sourcetype using curl command for Http event collector?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?