A Python logging handler to sends logs to Splunk using HTTP event collector (HEC)
Project description
Installation
pip install splunk-hec-handler
Features
- Log messages to Splunk via HTTP Event Collector (HEC). See Splunk HEC Documentation
- All messages are logged as '_json' sourcetype by default.
- A dictionary with 'log_level' and 'message' keys are constructed for logging records of type string.
- Dictionary objects are preserved as JSON.
- If log record (dict) does not contains a 'time' field, one is added with the value set to current time.
Examples
Basic
import logging from splunk_hec_handler import SplunkHecHandler logger = logging.getLogger('SplunkHecHandlerExample') logger.setLevel(logging.DEBUG) # If using self-signed certificate, set ssl_verify to False # If using http, set proto to http splunk_handler = SplunkHecHandler('splunkfw.domain.tld', 'EA33046C-6FEC-4DC0-AC66-4326E58B54C3', port=8888, proto='https', ssl_verify=True, source="HEC_example") logger.addHandler(splunk_handler)
Following should result in a Splunk entry with _time set to current timestamp.
logger.info("Testing Splunk HEC Info message")
Following should result in a Splunk entry of Monday, 08/06/2018 4:33:43 AM, and contain two custom fields (color, api_endpoint). Custom fields can be seen in verbose mode.
dict_obj = {'time': 1533530023, 'fields': {'color': 'yellow', 'api_endpoint': '/results'}, 'user': 'foobar', 'app': 'my demo', 'severity': 'low', 'error codes': [1, 23, 34, 456]} logger.error(dict_obj)
:warning: In order to use custom fields, 'sourcetype' property must be specified in the event and sourcetype definition must enable indexed field extractions.
See http://dev.splunk.com/view/event-collector/SP-CAAAE6P for 'fields'
Advanced
Using 'fields', many of the metadata fields associated with an event can be changed from the default. Additionally, new fields, which are not part of the event, can be also added.
In the following example, we are sending events to two different indexes (see "Select Allowed Indexes (optional)" setting) and overriding 'host', 'source', 'sourcetype' fields, while adding some new fields ('color', 'api_endpoint').
import logging from splunk_hec_handler import SplunkHecHandler logger = logging.getLogger('SplunkHecHandlerExample') logger.setLevel(logging.DEBUG) stream_handler = logging.StreamHandler() stream_handler.level = logging.DEBUG logger.addHandler(stream_handler) token = "EA33046C-6FEC-4DC0-AC66-4326E58B54C3' splunk_handler = SplunkHecHandler('splunkfw.domain.tld', token, index="hec", port=8080, proto='https', ssl_verify=False source="evtx2json", sourcetype='xxxxxxxx_json') logger.addHandler(splunk_handler) dict_obj = {'fields': {'color': 'yellow', 'api_endpoint': '/results', 'host': 'app01', 'index':'hec'}, 'user': 'foobar', 'app': 'my demo', 'severity': 'low', 'error codes': [1, 23, 34, 456]} logger.info(dict_obj) log_summary_evt = {'fields': {'index': 'adhoc', 'sourcetype': '_json', 'source': 'adv_example'}, 'exit code': 0, 'events logged': 100} logger.debug(log_summary_evt)
Todo
- Event acknowledgement support
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
| Filename, size | File type | Python version | Upload date | Hashes |
|---|---|---|---|---|
| Filename, size splunk_hec_handler-1.0.9-py3-none-any.whl (6.9 kB) | File type Wheel | Python version py3 | Upload date | Hashes View |
| Filename, size splunk_hec_handler-1.0.9.tar.gz (5.3 kB) | File type Source | Python version None | Upload date | Hashes View |
Hashes for splunk_hec_handler-1.0.9-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 82efd0d6455d9377b4625e7bb2e4e91537b6a014453bcd8210a8f88fc225f6f4 |
|
| MD5 | 916fec5748ee9a31ef1740f18e7c8d07 |
|
| BLAKE2-256 | bf3ef18854ce459728d868df8adbbd51ef67c5cb2950a4ff911a1b05509263ce |
