Splunk® Enterprise

Getting Data In

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Send metrics to a metrics index

If you gather metrics data, you can send it directly to a metrics index using HEC.

Send metrics in JSON format

Use the HEC /collector REST API endpoint to send metrics data over HTTP or HTTPS in JSON format from a client that is not natively supported to a metrics index.

Create a HEC data input for a Metrics index. Then, use the /collector REST API endpoint to send data to the metrics index using the following format:

http://<Splunk_host>:<HTTP_port>/services/collector \
-H "Authorization: Splunk <HEC_token>"              \
-d "<metrics_data>"

You need to provide the following values:

  • Splunk host machine (IP address, host name, or load balancer name)
  • HTTP port number
  • HEC token value
  • Metrics event data, which requires an "event" field set to "metric".


Examples The following example shows a command that sends a metric measurement to a metrics index, with the following values:

  • Splunk host machine: "localhost"
  • HTTP port number: "8088"
  • HEC token value: "b0221cd8-c4b4-465a-9a3c-273e3a75aa29"


curl https://localhost:8088/services/collector                     \
-H "Authorization: Splunk b0221cd8-c4b4-465a-9a3c-273e3a75aa29"       \
-d '{"time": 1486683865.000,"event":"metric","source":"disk","host":"host_99","fields":{"region":"us-west-1","datacenter":"us-west-1a","rack":"63","os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0","service_environment":"test","path":"/dev/sda1","fstype":"ext3","_value":1099511627776,"metric_name":"total"}}'

This command sends two metrics measurements:

curl http://<IP address or host name or load balancer name>:8088/services/collector  \
-H "Authorization: Splunk 98a1e071-bc35-410b-8642-78ce7d829083"                         \
-d '{"time": 1505501013.000,"event":"metric","source":"disk","host":"host_99","fields":{"region":"us-west-1","datacenter":"us-west-1a","rack":"63","os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0","service_environment":"test","path":"/dev/sda1","fstype":"ext3","_value":999311222774,"metric_name":"total"}}
{"time": 1505511013.000,"event":"metric","source":"disk","host":"host_99","fields":{"region":"us-west-1","datacenter":"us-west-1a","rack":"63","os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0","service_environment":"test","path":"/dev/sda1","fstype":"ext3","_value":1099511627776,"metric_name":"total"}}'

Send metrics in collectd format

Use the HEC /collector/raw REST API endpoint to send metrics data over HTTP or HTTPS in collectd JSON format to a metrics index.

Create a HEC data input for a Metrics index and select the Metrics > collectd_http pre-trained source type. Then, use the /collector/raw REST API endpoint to send data directly to a metrics index using the following format:

http://<Splunk_host>:<HTTP_port>/services/collector/raw?sourcetype=collectd_http \
-H "Authorization: Splunk <HEC_token>"                                           \
-d "<metrics_data>"

You need to provide the following values:

  • Splunk host machine (IP address, host name, or load balancer name)
  • HTTP port number
  • HEC token value
  • Metrics event data in collectd JSON format

Because collectd is supported natively, you can configure collectd to send data to a metrics index. For more, see Get metrics in from collectd in the Metrics manual.

Example

The following example shows a command that sends a metric measurement to a metrics index, with the following values:

  • Splunk host machine: "localhost"
  • HTTP port number: "8088"
  • HEC token value: "b0221cd8-c4b4-465a-9a3c-273e3a75aa29"
curl https://localhost:8088/services/collector/raw?sourcetype=collectd_http   \
-H "Authorization: Splunk b0221cd8-c4b4-465a-9a3c-273e3a75aa29"                  \
-d '[{"values":[164.9196798931339196],"dstypes":["derive"],"dsnames":["value"],"time":1505356687.894,"interval":10.000,"host":"collectd","plugin":"protocols","plugin_instance":"IpExt","type":"protocol_counter","type_instance":"InOctets"}]'

For more information

For more information, see:

Last modified on 13 October, 2021
Automate indexed field extractions with HTTP Event Collector   HTTP Event Collector REST API endpoints

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters