使用 HTTP Event Collector
go to Settings > Data inputs > HTTP Event Collector. Then click the Global Settings button in the upper-right corner. 然后enable设置下!
然后去add data添加http EC。
在设置里source type选择json。
完成后会给你生成一个token!
使用如下命令导入数据:
curl -k https://<host>:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
在上面的配置下,其中xxtest是我建立的HEC名(URL不带event也是可以的!):
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk E35F7010-B2DC-4061-B2EA-2870FC8EA546" -d '{"event": "hello world bone this is a temp test", "sourcetype": "xxtest"}'
You should now see the following response:
{"text":"Success","code":0}
然后去splunk的搜索界面,https://localhost:8000,输入:source=xxtest,可以看到上述数据。
补充:
(1)批量导入:
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk B5094A4D-315D-4AE1-B41D-5F9907DCC350" -d '{"event": "ec 12 17:45:01 PEK1000074003 CRON222[22196]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)", "sourcetype": "hec_test"}{"event": "ec 12 17:45:01 PEK1000074003 CRON333[22196]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)", "sourcetype": "hec_test"}'
可以搜到cron222和cron333
(2)事件为json多字段:
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk B5094A4D-315D-4AE1-B41D-5F9907DCC350" -d '{"event": {"ctime": "2014-11-24 21:13:26.991", "content": " EventText EventText EventText EventText EventText EventText EventText"}, "sourcetype": "hec_test"}'
其他注意事项:我在splunk web里setting里设置了ssl 为true,就是说必须使用ssl才可以访问。可能会对上述操作由影响。
参考:
http://dev.splunk.com/view/event-collector/SP-CAAAE7F
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/UsetheHTTPEventCollector
http://docs.splunk.com/images/7/76/Splunk-6.4.0-zh_CN-Data.pdf 搜索curl可找到相关说明