Skip to content
/ hec Public

Demo Python Class for HTTP Event Collector in Splunk Enterprise 6.4.x

License

GPL-3.0 license
1 star 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jyung-hk/hec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
hec.py
hec.py
 
 
hec_example.py
hec_example.py
 
 

Repository files navigation

Demo Python Class for HTTP Event Collector of Splunk Enterprise 6.4.x

Usage

First step. Import the Class

  import hec

Option 1. JSON Data payload

  hec.hecJson(String: indexer ip address,String: port,String: token)
  hec.submit(String: sourcetype,String: source,Json: event)

e.g.

  myHEC = hec.hecJson("192.168.10.8","8088","75475867-EE4F-4357-BBA3-03F1D66F3697")
  myHEC.submit("10dof","sensorData.py",eventData)

Option 2. RAW Data payload

  hec.hecRaw(String: index ip address,String: port,String: token)
  hec.submit(String: raw event)

e.g.

  myHEC = hec.hecRaw("192.168.10.8","8088","75475867-EE4F-4357-BBA3-03F1D66F3697")
  myHec.submit("Raw event data example")

Optional Indexer Acknowledgment: support both hecRaw and hecJson

  resp, ackId = myHEC.submit("10dof","sensorData.py",eventData)
  • resp: True/False of the transfer
  • ackId: -1 indicates Indexer Acknowledgment is disabled on the indexer. Number > 0 is the acknowledgment number of the transfer

To query if the payload of a specific acknowledgment number is indexed

  respRack = myHEC.queryAck(ackEvent)
  • ackEvent: a json object containing an array of acknowledgment number
  • respRack: a json object containing the result of the acknowledgment number status

For details, please refer to Splunk Documentation

  • Note: Event timestamp is the time when the event is submitted, not the time it is received by Indexer.

Other supporting methods

  setHTTPS(Boolean: True/False)
  • Note: it should match the server-side setting, certification verification is disabled.
  setIndexer(String: indexer ip address)
  setIndexerPort(String: indexer port)
  setGUID(String: guid)
  • Note: the class come with a fixed, default GUID. It's recommended to assign new GUID for a dedicated data channel
  setHost(String: Value of the meta field 'host')
  • Note: default is the hostname of the socket
  setToken(String: Token of the HEC channel)

About

Demo Python Class for HTTP Event Collector in Splunk Enterprise 6.4.x

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages