Skip to main content

A Python logging handler to sends logs to Splunk using HTTP event collector (HEC)

Project description

Installation

pip install splunk-hec-handler

Features

  1. Log messages to Splunk via HTTP Event Collector (HEC). See Splunk HEC Documentation
  2. All messages are logged as '_json' sourcetype by default.
  3. A dictionary with 'log_level' and 'message' keys are constructed for logging records of type string.

String log record representation in Splunk

  1. Dictionary objects are preserved as JSON.

Dictionary log record representation in Splunk

  1. If log record (dict) does not contains a 'time' field, one is added with the value set to current time.

Examples

Basic

import logging
from splunk_hec_handler import SplunkHecHandler
logger = logging.getLogger('SplunkHecHandlerExample')
logger.setLevel(logging.DEBUG)

# If using self-signed certificate, set ssl_verify to False
# If using http, set proto to http
splunk_handler = SplunkHecHandler('splunkfw.domain.tld',
                    'EA33046C-6FEC-4DC0-AC66-4326E58B54C3',
                    port=8888, proto='https', ssl_verify=True,
                    source="HEC_example")
logger.addHandler(splunk_handler)

Following should result in a Splunk entry with _time set to current timestamp.

logger.info("Testing Splunk HEC Info message")

Basic Example

Following should result in a Splunk entry of Monday, 08/06/2018 4:33:43 AM, and contain two custom fields (color, api_endpoint). Custom fields can be seen in verbose mode.

dict_obj = {'time': 1533530023, 'fields': {'color': 'yellow', 'api_endpoint': '/results'},
                    'user': 'foobar', 'app': 'my demo', 'severity': 'low', 'error codes': [1, 23, 34, 456]}
logger.error(dict_obj)

Fields Example

:warning: In order to use custom fields, 'sourcetype' property must be specified in the event and sourcetype definition must enable indexed field extractions.

See http://dev.splunk.com/view/event-collector/SP-CAAAE6P for 'fields'

Advanced

Using 'fields', many of the metadata fields associated with an event can be changed from the default. Additionally, new fields, which are not part of the event, can be also added.

In the following example, we are sending events to two different indexes (see "Select Allowed Indexes (optional)" setting) and overriding 'host', 'source', 'sourcetype' fields, while adding some new fields ('color', 'api_endpoint').

import logging
from splunk_hec_handler import SplunkHecHandler

logger = logging.getLogger('SplunkHecHandlerExample')
logger.setLevel(logging.DEBUG)

stream_handler = logging.StreamHandler()
stream_handler.level = logging.DEBUG
logger.addHandler(stream_handler)

token = "EA33046C-6FEC-4DC0-AC66-4326E58B54C3'
splunk_handler = SplunkHecHandler('splunkfw.domain.tld',
                                 token, index="hec",
                                 port=8080, proto='https', ssl_verify=False
                                 source="evtx2json", sourcetype='xxxxxxxx_json')
logger.addHandler(splunk_handler)


dict_obj = {'fields': {'color': 'yellow', 'api_endpoint': '/results', 'host': 'app01', 'index':'hec'},
            'user': 'foobar', 'app': 'my demo', 'severity': 'low', 'error codes': [1, 23, 34, 456]}
logger.info(dict_obj)

log_summary_evt = {'fields': {'index': 'adhoc', 'sourcetype': '_json', 'source': 'adv_example'}, 'exit code': 0, 'events logged': 100}
logger.debug(log_summary_evt)

Advanced Fields Example

Todo

  1. Event acknowledgement support

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

splunk_hec_handler-1.2.0.tar.gz (7.0 kB view details)

Uploaded Source

Built Distributions

splunk_hec_handler-1.2.0-py3.11.egg (11.5 kB view details)

Uploaded Source

splunk_hec_handler-1.2.0-py2.py3-none-any.whl (7.1 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file splunk_hec_handler-1.2.0.tar.gz.

File metadata

  • Download URL: splunk_hec_handler-1.2.0.tar.gz
  • Upload date:
  • Size: 7.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.10.9

File hashes

Hashes for splunk_hec_handler-1.2.0.tar.gz
Algorithm Hash digest
SHA256 69d5284f245cf0ce48e55b2b19bfa8d5bde003d6e518403bb8fa986a796f61a5
MD5 f0c9e2a6b9793794d22d89a129a4c52c
BLAKE2b-256 67f8ebdee911502f7dc21be0d253083ce89e18dd0addcb53f2d8cd11e0010743

See more details on using hashes here.

File details

Details for the file splunk_hec_handler-1.2.0-py3.11.egg.

File metadata

File hashes

Hashes for splunk_hec_handler-1.2.0-py3.11.egg
Algorithm Hash digest
SHA256 0ff30a9ee570cf34c749d7cf6db09b27b73ff18047c97f96e961069b1504af19
MD5 cb3dca1dc699d37fb559691f99b63a0f
BLAKE2b-256 add4708403d3b86abaa25ac3913a1a9b6c41dd189acea39cf93c470504584282

See more details on using hashes here.

File details

Details for the file splunk_hec_handler-1.2.0-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for splunk_hec_handler-1.2.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 789d3a2960b31bdeb0de102a4f823dde13918ed6be136626247b1160e9d4de63
MD5 f836add2baaccaf81f5217a91bfed3be
BLAKE2b-256 a74c5b9ba26959b5c44da62fd2809b6a9fcdd49accc596ba9b65b244e7542624

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page