https://github.com/willabides/splunk-pipe

like egpipe but for splunk
https://github.com/willabides/splunk-pipe

golang shell splunk splunk-hec splunk-http

Last synced: 23 days ago
JSON representation

like egpipe but for splunk

• Host: GitHub
• URL: https://github.com/willabides/splunk-pipe
• Owner: WillAbides
• License: mit
• Created: 2020-12-23T20:23:26.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2020-12-23T21:58:53.000Z (about 4 years ago)
• Last Synced: 2024-04-16T00:26:01.500Z (9 months ago)
• Topics: golang, shell, splunk, splunk-hec, splunk-http
• Language: Go
• Homepage:
• Size: 10.7 KB
• Stars: 0
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# splunk-pipe

[![ci](https://github.com/WillAbides/splunk-pipe/workflows/ci/badge.svg?branch=main&event=push)](https://github.com/WillAbides/splunk-pipe/actions?query=workflow%3Aci+branch%3Amaster+event%3Apush)

## Install

`go get github.com/willabides/splunk-pipe/cmd/splunkpipe`

## Usage

```

Usage: splunkpipe 

splunkpipe posts events to splunk.

example:

    $ splunk_endpoint="http://localhost:8080"

    $ splunk_hec_token="shhh_secret_token"

    $ data="$(cat <<"EOF"

        {"action": "obj.add", "@timestamp": 1604953432032, "el_name": "foo", "doc_id": "asdf"}

        {"action": "obj.rem", "@timestamp": 1604953732032, "el_name": "bar", "doc_id": "fdsa"}

      EOF

      )"

    $ echo "$data" | \

      splunkpipe "$splunk_endpoint" \

      -H "Authorization: Splunk $splunk_hec_token" \

      -T 'jp:"@timestamp"'

Learn about JMESPath syntax at https://jmespath.org

Arguments:

      Endpoint for posting events

Flags:

  -h, --help                   Show context-sensitive help.

  -t, --sourcetype=STRING      Value for the "sourcetype" field. JMESPath expressions allowed

                               with "jp:" prefix.

  -s, --source=STRING          Value for the "source" field. JMESPath expressions allowed with

                               "jp:" prefix.

  -T, --timestamp=STRING       Value for the "eventTime" field converted from epoch milliseconds.

                               JMESPath expressions allowed with "jp:" prefix.

  -H, --header=HEADER,...      Header to sent with the request in the same format as curl. e.g.

                               '-H "Authorization: Splunk $HEC_KEY"'

  -h, --host=STRING            Value for the "host" field. JMESPath expressions allowed with

                               "jp:" prefix.

      --index=STRING           Value for the "index" field. JMESPath expressions allowed with

                               "jp:" prefix.

      --batch-size=10          Number of events to send in a batch.

      --flush-interval=2000    Time in milliseconds to wait before sending a partial batch. Set

                               to 0 to never send a partial batch.

```