Inputs: HEC JSON-Format: Unterschied zwischen den Versionen
Aus Wiki-WebPerfect
Admin (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „ == PowerShell to create a JSON-Object and send to Splunk == <source lang="powershell"> #Create a PowerShell-Object and convert it to the JSON-Format $Body = […“) |
Admin (Diskussion | Beiträge) |
||
| (3 dazwischenliegende Versionen des gleichen Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| − | |||
== PowerShell to create a JSON-Object and send to Splunk == | == PowerShell to create a JSON-Object and send to Splunk == | ||
<source lang="powershell"> | <source lang="powershell"> | ||
| Zeile 22: | Zeile 21: | ||
| − | == Splunk props.conf == | + | == Splunk configurations == |
| + | Normally you can use the default Splunk Sourcetype "_json", but if this is not working as you expect, following this guide: <br> | ||
| + | Whether or not the Splunk JSON parser for 'INDEXED_EXTRACTIONS' strips curly braces from names of fields that are defined as arrays in JSON events. <br> | ||
| + | With the Splunk "option" '''JSON_TRIM_BRACES_IN_ARRAY_NAMES=true''' you can exclude the curly braces "{}" from array field names. | ||
| + | |||
| + | === props.conf === | ||
| + | <pre> | ||
| + | [qCheck:Compute:JSON] | ||
| + | JSON_TRIM_BRACES_IN_ARRAY_NAMES = true | ||
| + | INDEXED_EXTRACTIONS = JSON | ||
| + | BREAK_ONLY_BEFORE = ^{ | ||
| + | SHOULD_LINEMERGE = true | ||
| + | TRUNCATE = 500000 </pre> | ||
| + | |||
| + | ''More information's about the props.conf: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf'' | ||
| + | |||
| + | |||
| + | |||
| − | [[Kategorie | + | [[Kategorie:Splunk]] |
Aktuelle Version vom 17. Februar 2021, 16:01 Uhr
PowerShell to create a JSON-Object and send to Splunk
#Create a PowerShell-Object and convert it to the JSON-Format $Body = [PSCustomObject]@{ host = $HVNode.ToUpper() event = @{ <YourFieldName> = <YourValue> <YourFieldName> = <YourPowerShell-Command> } } | ConvertTo-Json -Depth 4 #Splunk Variables $SplunkPort = 8088 $SplunkHeader = @{Authorization = "Splunk <Splunk_HEC-Token>"} $SplunkURL = "http://<Splunk-URL>:$SplunkPort/services/collector/event" #Send the created JSON to the Splunk HEC Input Invoke-WebRequest -Uri $SplunkURL -Method Post -Body $Body -Headers $SplunkHeader -UseBasicParsing
Splunk configurations
Normally you can use the default Splunk Sourcetype "_json", but if this is not working as you expect, following this guide:
Whether or not the Splunk JSON parser for 'INDEXED_EXTRACTIONS' strips curly braces from names of fields that are defined as arrays in JSON events.
With the Splunk "option" JSON_TRIM_BRACES_IN_ARRAY_NAMES=true you can exclude the curly braces "{}" from array field names.
props.conf
[qCheck:Compute:JSON]
JSON_TRIM_BRACES_IN_ARRAY_NAMES = true
INDEXED_EXTRACTIONS = JSON
BREAK_ONLY_BEFORE = ^{
SHOULD_LINEMERGE = true
TRUNCATE = 500000
More information's about the props.conf: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
