SendToSplunk – Send Text Data to a Splunk TCP Port
SendToSplunk is a command line tool that makes it easy to send data to and create events in Splunk from any Windows system, regardless of whether Splunk’s Universal Forwarder is installed or not.
These are the main facts:
- SendToSplunk sends data to a Splunk TCP port
- Each call to SendToSplunk creates a new event in Splunk
- SendToSplunk can use multiple Splunk servers for load-balancing and fault tolerance
- SendToSplunk allows all relevant event fields to be customized: host, index, source and sourcetype
- Event time customization is possible by prepending the event text with a timestamp
- SendToSplunk does not require any software to be installed
- SendToSplunk is freeware
What Does it Do?
Each time SendToSplunk is called it processes its command line arguments and sends the supplied data to Splunk so that a new event is created.
In the simplest use case you only specify a Splunk server (name or IP address and port) and an event text. Optionally, you can specify multiple Splunk servers – which are automatically used for fault tolerance and load balancing – and configure the event’s fields host, index, source and sourcetype to your liking.
You can even specify a custom event timestamp by prepending the event text with any timestamp string recognized by Splunk, e.g. instead of sending
SendToSplunk -server splunk1:19500 -event "event data"
send instead
SendToSplunk -server splunk1:19500 -event "2014-03-22 9:23:51Z event data"
When to Use
SendToSplunk is primarily intended for creating Splunk events from scripts, batch files or custom tools without the need to install Splunk’s Universal Forwarder. But if you come up with other use cases – go ahead!
Syntax and Examples
The program’s help screen describes the available options in detail:
SendToSplunk by Helge Klein
Sends arbitrary text data to a Splunk TCP port
Homepage: https://helgeklein.com
Version: 1.0.0.0
Copyright: Helge Klein
Syntax:
=======
SendToSplunk [-help] -server <server1:port1> [-server <server2:port2>]
[-host <host>] [-index <index>] [-source <source>]
[-sourcetype <sourcetype>]
-event <event>
Notes:
======
Before using this tool make sure that the specified port is enabled as a
TCP data input in Splunk.
If multiple servers are specified, load balancing and fault tolerance
are enabled automatically. Data is distributed evenly amongst all
servers that can be reached.
To specify a custom event timestamp prepend the event parameter with
any timestamp recognized by Splunk.
Examples:
=========
SendToSplunk -server splunk1:19500 -index myindex
-event "usercount=4 processcount=35"
SendToSplunk -server splunk1:19500 -server splunk2:19500 -server splunk3:19500
-index myindex -host myhost -source mysource
-event "usercount=4 processcount=35"
Here is an example of SendToSplunk in action:
D:\>SendToSplunk.exe -server srv1:19500 -index testindex -event "event data"
Successfully sent 41 bytes to srv1:19500
License
SendToSplunk is freeware.
Changelog
Version 1.0
- Initial version
System Requirements
SendToSplunk works on any version of Windows beginning with Vista / Server 2008. This includes Windows 7, 8, 8.1 and Server 2012 (R2). SendToSplunk does not require any additional software.
SendToSplunk works with any version of Splunk. Please do not forget to configure the TCP port you are sending to as a data input.
SendToSplunk comes as a 32-bit binary only, but works correctly on both 32-bit and 64-bit Windows.
Support
Support options are described here.