使用 HTTP Event Collector
go to Settings > Data inputs > HTTP Event Collector. Then click the Global Settings button in the upper-right corner. 然后enable設置下!
然后去add data添加http EC。
在設置里source type選擇json。
完成后會給你生成一個token!
使用如下命令導入數據:
curl -k https://<host>:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
在上面的配置下,其中xxtest是我建立的HEC名(URL不帶event也是可以的!):
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk E35F7010-B2DC-4061-B2EA-2870FC8EA546" -d '{"event": "hello world bone this is a temp test", "sourcetype": "xxtest"}'
You should now see the following response:
{"text":"Success","code":0}
然后去splunk的搜索界面,https://localhost:8000,輸入:source=xxtest,可以看到上述數據。
補充:
(1)批量導入:
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk B5094A4D-315D-4AE1-B41D-5F9907DCC350" -d '{"event": "ec 12 17:45:01 PEK1000074003 CRON222[22196]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)", "sourcetype": "hec_test"}{"event": "ec 12 17:45:01 PEK1000074003 CRON333[22196]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)", "sourcetype": "hec_test"}'
可以搜到cron222和cron333
(2)事件為json多字段:
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk B5094A4D-315D-4AE1-B41D-5F9907DCC350" -d '{"event": {"ctime": "2014-11-24 21:13:26.991", "content": " EventText EventText EventText EventText EventText EventText EventText"}, "sourcetype": "hec_test"}'
其他注意事項:我在splunk web里setting里設置了ssl 為true,就是說必須使用ssl才可以訪問。可能會對上述操作由影響。
參考:
http://dev.splunk.com/view/event-collector/SP-CAAAE7F
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/UsetheHTTPEventCollector
http://docs.splunk.com/images/7/76/Splunk-6.4.0-zh_CN-Data.pdf 搜索curl可找到相關說明