问题描述
我正在尝试通过HEC将指标发送到Splunk,这是我的curl命令:
curl -k https://www.website.com \
-H "Authorization: Splunk password" \
-d '{"index":"index-name","time": 313423232.000,"event":"metric","source":"disk","sourcetype":"perflog","host":"host_1.splunk.com","value":85,"fields":{"region":"us-west-1","datacenter":"dc1","rack":"63","os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0","service_environment":"test","path":"/dev/sda1","fstype":"ext3","metric_name:cpu.idle": 13.34}}'
作为回报,我得到: {“ text”:“无数据”,“代码”:5}
这很奇怪,因为它可以更早地工作,我添加的只是“值”:85。 问题可能是我要发送到的网站吗?
有些建议的引号不匹配,并且HEC仅支持一组特定的已知字段,但我不认为这是我遇到的问题,因为我尝试仅使用索引源来运行相同的curl命令,时间,主机,源类型和事件,并具有相同的错误代码。
解决方法
要将度量标准发送到Splunk HEC,您需要在名为_value
的字段中包含度量标准值。您的示例中的最后一个参数也有一些错误。
以下请求就足够了。
curl -k https://www.website.com \
-H "Authorization: Splunk password" \
-d '{"index":"index-name","time": 313423232.000,"event":"metric","source":"disk","sourcetype":"perflog","host":"host_1.splunk.com","fields":{"region":"us-west-1","datacenter":"dc1","rack":"63","os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0","service_environment":"test","path":"/dev/sda1","fstype":"ext3","metric_name": "cpu.idle","_value": 13.34}}'