A Python connector that sends your data to Splunk
Project description
Splunk Data Sender
Splunk Data Sender is a very simple and minimal Python package for sending logged events to an installation of Splunk Enterprise throw REST API
This logger requires the destination Splunk Enterprise server to have enabled and configured the Splunk HTTP Event Collector.
Installation
Pip:
pip install splunk-data-sender
Manual:
python3 setup.py install
Usage
from splunk_data_sender import SplunkSender
Then create a SplunkSender instance with your preferred configuration. Now you can use the two methods send_data() and check_acks() to, respectively, send logs and check messages acks(Requires useAck enabled in HEC).
Example:
import logging
from splunk_data_sender import SplunkSender
splunk_conf = SplunkSender(
host='splunk.example.com',
port='8088',
token='851A5E58-4EF1-7291-F947-F614A76ACB21',
index='main',
channel='16c70678-e516-44a9-854d-d139929e6869', # GUID
api_version='0.1',
#hostname='hostname', # manually set a hostname parameter, defaults to socket.gethostname()
#source='source', # manually set a source, defaults to the log record.pathname
#sourcetype='generic_single_line', # manually set a sourcetype, defaults to 'generic_single_line'
#allow_overrides='True' # Whether to look for one of the plunk built-in parameters(index, host, ecc)
#verify=True, # turn SSL verification on or off, defaults to True
#timeout=60, # timeout for waiting on a 200 OK from Splunk server, defaults to 60s
#retry_count=5, # Number of retry attempts on a failed/erroring connection, defaults to 5
#retry_backoff=2.0, # Backoff factor, default options will retry for 1 min, defaults to 2.0
#enable_debug=False, # turn on debug mode; prints module activity to stdout, defaults to False
)
splunk = SplunkSender(**splunk_conf)
# The first payload is a quote to the italian theme song of Hello!Spank
txt_record = "Hello! Splunk resta con me, Hello! Splunk non te ne andare, Caro Splunk! gioca con me, siamo amici io e te."
json_record = { # this record will be parsed as normal text due to default "sourcetype" conf param
"source": "spacecraft Discovery 1",
"host": "HAL9000",
"sourcetype": "_json",
"index": "main",
"event": {"message": "I am afraid I can't do that Dave.", "severity": "ERROR"},
"rack": "42",
"os": "Linux, obvious",
"arch": "x64"
}
payloads = [txt_record, json_record]
splunk_res = splunk.send_data(payloads)
logging.info(splunk_res)
ack_id = splunk_res.get('ackId')
splunk_ack_res = splunk.send_acks(ack_id)
logging.info(splunk_ack_res)
Configuration parameters notes
"sourcetype"
If this param is sets to "_json" (and "allow_overrides" too), not built-in params will be added inside a "fields" key described below. Refer to the official Splunk documentation for more information about source types.
"allow_overrides"
If this param is set to "True", whether to look for one of the Splunk built-in parameters
(time, source, host, index) it will override the autocompleted parameters.
For example, a json record with "time"=1486683865.000 will simulates a payload in the past for Splunk.
Notes for JSON source type event
Refer to the official Splunk documentation for more information about the use of JSON source type.
Nested JSON inside the "event" property
In some cases, events have nested json which contains the custom fields to be indexed. In this case you have to set "sourcetype" = "_json".
"fields"
Fields for indexing that do not occur in the event payload itself.
You can use this parameter when you do not want particular fields to be included in the event data,
but you need additional metadata for indexing and searching.
In the above example, "rack", "os" and "arch" will included inside "fields" key.
Using this method is also typically faster than the nested JSON method.
Be aware that you must send HEC requests containing the fields property to the /collector/event endpoint. Otherwise, they will not be indexed.
Retry Logic
This library uses the built-in retry logic from urllib3 (a retry counter and a backoff factor). Should the defaults not be desireable, you can find more information about how to best configure these settings in the urllib3 documentation.
Contributing
Feel free to contribute an issue or pull request:
- Check for existing issues and PRs
- Fork the repo, and clone it locally
- Create a new branch for your contribution
- Push to your fork and submit a pull request
License
This project is licensed under the terms of the MIT license.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file splunk_data_sender-0.0.5.tar.gz.
File metadata
- Download URL: splunk_data_sender-0.0.5.tar.gz
- Upload date:
- Size: 9.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/49.2.0 requests-toolbelt/0.9.1 tqdm/4.48.0 CPython/3.8.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
943b095723e637d9944a8c4d1951cb7d7fd59decd0dd123176ce0efa03e2a88f
|
|
| MD5 |
152157e4462f68d5a6a88169af90eecc
|
|
| BLAKE2b-256 |
4a27ff079aa2c141841ae4c78fde42d22a0b175d1674b03ef0644b311803265e
|
File details
Details for the file splunk_data_sender-0.0.5-py2.py3-none-any.whl.
File metadata
- Download URL: splunk_data_sender-0.0.5-py2.py3-none-any.whl
- Upload date:
- Size: 9.0 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/49.2.0 requests-toolbelt/0.9.1 tqdm/4.48.0 CPython/3.8.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d2af2c61cf1bd1a57aa898c0aa98697082469237a2838a0dc5c48aa457bae125
|
|
| MD5 |
9f20abd9a56ac2d6cf2133b72528a153
|
|
| BLAKE2b-256 |
79458e6bb2024fdb3e6a1c2cd425e9d208de190c2b41b9dd8b381ad3dc0d1a70
|
