
Send metrics to a metrics index
If you gather metrics data, you can send it directly to a metrics index using HEC.
Send metrics in JSON format
Use the HEC /collector REST API endpoint to send metrics data over HTTP or HTTPS in JSON format from a client that is not natively supported to a metrics index.
Create a HEC data input for a Metrics index. Then, use the /collector REST API endpoint to send data to the metrics index using the following format:
http://<Splunk_host>:<HTTP_port>/services/collector \ -H "Authorization: Splunk <HEC_token>" \ -d "<metrics_data>"
You need to provide metrics event data and the following values:
- The Splunk host machine (an IP address, host name, or load balancer name)
- An HTTP port number
- An HEC token value
Examples The following example shows a command that sends a metric measurement to a metrics index, with the following values:
- Splunk host machine: "localhost"
- HTTP port number: "8088"
- HEC token value: "b0221cd8-c4b4-465a-9a3c-273e3a75aa29"
curl -k https://localhost:8088/services/collector \ -H "Authorization: Splunk b0221cd8-c4b4-465a-9a3c-273e3a75aa29" \ -d '{"time": 1486683865.000,"source":"disk","host":"host_99","fields":{"region":"us-west-1","datacenter":"us-west-1a","rack":"63","os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0","service_environment":"test","path":"/dev/sda1","fstype":"ext3","_value":1099511627776,"metric_name":"total"}}'
This command sends two metrics measurements:
curl -k http://<IP address or host name or load balancer name>:8088/services/collector \ -H "Authorization: Splunk 98a1e071-bc35-410b-8642-78ce7d829083" \ -d '{"time": 1505501013.000,"source":"disk","host":"host_99","fields":{"region":"us-west-1","datacenter":"us-west-1a","rack":"63","os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0","service_environment":"test","path":"/dev/sda1","fstype":"ext3","_value":999311222774,"metric_name":"total"}} {"time": 1505511013.000,"source":"disk","host":"host_99","fields":{"region":"us-west-1","datacenter":"us-west-1a","rack":"63","os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0","service_environment":"test","path":"/dev/sda1","fstype":"ext3","_value":1099511627776,"metric_name":"total"}}'
Send metrics in collectd format
Use the HEC /collector/raw REST API endpoint to send metrics data over HTTP or HTTPS in collectd JSON format to a metrics index.
Create a HEC data input for a Metrics index and select the Metrics > collectd_http pre-trained source type. Then, use the /collector/raw REST API endpoint to send data directly to a metrics index using the following format:
http://<Splunk_host>:<HTTP_port>/services/collector/raw?sourcetype=collectd_http \ -H "Authorization: Splunk <HEC_token>" \ -d "<metrics_data>"
You need to provide metrics data in collectd format and the following values:
- The Splunk host machine (an IP address, host name, or load balancer name)
- An HTTP port number
- An HEC token value
Because collectd is supported natively, you can configure collectd to send data to a metrics index. For more, see Get metrics in from collectd in the Metrics manual.
Example
The following example shows a command that sends a metric measurement to a metrics index, with the following values:
- Splunk host machine: "localhost"
- HTTP port number: "8088"
- HEC token value: "b0221cd8-c4b4-465a-9a3c-273e3a75aa29"
curl -k https://localhost:8088/services/collector/raw?sourcetype=collectd_http \ -H "Authorization: Splunk b0221cd8-c4b4-465a-9a3c-273e3a75aa29" \ -d '[{"values":[164.9196798931339196],"dstypes":["derive"],"dsnames":["value"],"time":1505356687.894,"interval":10.000,"host":"collectd","plugin":"protocols","plugin_instance":"IpExt","type":"protocol_counter","type_instance":"InOctets"}]'
For more information
For more information, see:
- Overview of metrics in the Metrics manual
- Create metrics indexes in the Managing Indexers and Clusters of Indexers manual
- /collector and /collector/raw in the REST API Reference Manual
PREVIOUS Automate indexed field extractions with HTTP Event Collector |
NEXT HTTP Event Collector REST API endpoints |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1
Feedback submitted, thanks!