新建标记
通过http 接口发送数据,http event collector,需要先在splunk新建一个标记。
设置->数据输入->HTTP 事件收集器->新建标记
测试
curl -k https://IP:8088/services/collector/event -H "Authorization: Splunk 9213be6a-2ebc-47bb-9da9-e9c2fa1345f4" -d "{\"host\":\"127.0.0.1\",\"time\":1561144452.611000,\"sourcetype\":\"some_sourcetype\",\"index\":\"sample\",\"event\":{\"eventKey\":\"0\", \"uuid\":\"88b5e9fd-ebe0-4fe1-aeeb-b3d583ec9cfd\",\"message\":\"dnnpfbbwic\"}}{\"time\":1561144552.611000,\"sourcetype\":\"some_sourcetype\",\"index\":\"sample\",\"event\":{\"eventKey\":\"0\", \"uuid\":\"88b5e9fd-ebe0-4fe1-aeeb-b3d583ec9cfd\",\"message\":\"abc\"}}"
发送成功后会显示
{
"text": "Success",
"code": 0
}
基于Python3的封装
# coding=utf-8
import urllib
import httplib2
from xml.dom import minidom
import time
import json
import traceback
class SplunkInput(object):
def __init__(self):
self.baseurl = 'https://IP:8088'
self.sessionKey = '标记值'
def submit_job(self, data):
result_response = httplib2.Http(disable_ssl_certificate_validation=True) \
.request(self.baseurl + '/services/collector/event',
'POST',
headers={'Authorization': 'Splunk %s' % self.sessionKey},
body=json.dumps(data))[1]
return result_response
def run(self, data):
start = time.time()
result = self.submit_job(data)
end = time.time()
print("submit time:", end - start)
return result
调用
print(">>>>>>>>>>>>>>SplunkInput>>>>>>>>>>>>>>>>>>>>>>")
hostname = socket.gethostname()
SI = SplunkInput()
s_time = int(time.time())
data = [{
"host": hostname,
"sourcetype": "test",
"index": "sample",
"event": {
"eventKey": "0",
"uuid": "88b5e9fd-ebe0-4fe1-aeeb-b3d583ec9cfd",
"message": "abc"
}
}, {
"host": hostname,
"time": s_time,
"sourcetype": "test",
"index": "sample",
"event": {
"eventKey": "1",
"uuid": "1233444-ebe0-4fe1-aeeb-b3d583ec9cfd",
"message": "def"
}
}]