A Python logging handler to sends logs to Splunk using HTTP event collector (HEC)
Project description
Installation
pip install splunk-hec-handler
Features
- Log messages to Splunk via HTTP Event Collector (HEC). See Splunk HEC Documentation
- All messages are logged as '_json' sourcetype by default.
- A dictionary with 'log_level' and 'message' keys are constructed for logging records of type string.
- Dictionary objects are preserved as JSON.
- If log record (dict) does not contains a 'time' field, one is added with the value set to current time.
Examples
Basic
import logging
from splunk_hec_handler import SplunkHecHandler
logger = logging.getLogger('SplunkHecHandlerExample')
logger.setLevel(logging.DEBUG)
# If using self-signed certificate, set ssl_verify to False
# If using http, set proto to http
splunk_handler = SplunkHecHandler('splunkfw.domain.tld',
'EA33046C-6FEC-4DC0-AC66-4326E58B54C3',
port=8888, proto='https', ssl_verify=True,
source="HEC_example")
logger.addHandler(splunk_handler)
Following should result in a Splunk entry with _time set to current timestamp.
logger.info("Testing Splunk HEC Info message")
Following should result in a Splunk entry of Monday, 08/06/2018 4:33:43 AM, and contain two custom fields (color, api_endpoint). Custom fields can be seen in verbose mode.
dict_obj = {'time': 1533530023, 'fields': {'color': 'yellow', 'api_endpoint': '/results'},
'user': 'foobar', 'app': 'my demo', 'severity': 'low', 'error codes': [1, 23, 34, 456]}
logger.error(dict_obj)
:warning: In order to use custom fields, 'sourcetype' property must be specified in the event and sourcetype definition must enable indexed field extractions.
See http://dev.splunk.com/view/event-collector/SP-CAAAE6P for 'fields'
Advanced
Using 'fields', many of the metadata fields associated with an event can be changed from the default. Additionally, new fields, which are not part of the event, can be also added.
In the following example, we are sending events to two different indexes (see "Select Allowed Indexes (optional)" setting) and overriding 'host', 'source', 'sourcetype' fields, while adding some new fields ('color', 'api_endpoint').
import logging
from splunk_hec_handler import SplunkHecHandler
logger = logging.getLogger('SplunkHecHandlerExample')
logger.setLevel(logging.DEBUG)
stream_handler = logging.StreamHandler()
stream_handler.level = logging.DEBUG
logger.addHandler(stream_handler)
token = "EA33046C-6FEC-4DC0-AC66-4326E58B54C3'
splunk_handler = SplunkHecHandler('splunkfw.domain.tld',
token, index="hec",
port=8080, proto='https', ssl_verify=False
source="evtx2json", sourcetype='xxxxxxxx_json')
logger.addHandler(splunk_handler)
dict_obj = {'fields': {'color': 'yellow', 'api_endpoint': '/results', 'host': 'app01', 'index':'hec'},
'user': 'foobar', 'app': 'my demo', 'severity': 'low', 'error codes': [1, 23, 34, 456]}
logger.info(dict_obj)
log_summary_evt = {'fields': {'index': 'adhoc', 'sourcetype': '_json', 'source': 'adv_example'}, 'exit code': 0, 'events logged': 100}
logger.debug(log_summary_evt)
Todo
- Event acknowledgement support
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for splunk_hec_handler-1.2.0-py3.11.egg
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0ff30a9ee570cf34c749d7cf6db09b27b73ff18047c97f96e961069b1504af19 |
|
MD5 | cb3dca1dc699d37fb559691f99b63a0f |
|
BLAKE2b-256 | add4708403d3b86abaa25ac3913a1a9b6c41dd189acea39cf93c470504584282 |
Hashes for splunk_hec_handler-1.2.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 789d3a2960b31bdeb0de102a4f823dde13918ed6be136626247b1160e9d4de63 |
|
MD5 | f836add2baaccaf81f5217a91bfed3be |
|
BLAKE2b-256 | a74c5b9ba26959b5c44da62fd2809b6a9fcdd49accc596ba9b65b244e7542624 |