Here are three cURL command line examples for interacting with a Splunk instance: sending event data, sending metrics data, and querying a Splunk index.
You can send raw event data to a Splunk HTTP Event Collector (HEC) using a POST request.
curl -k https://<SPLUNK_SERVER>:8088/services/collector/event \
-H "Authorization: Splunk <HEC_TOKEN>" \
-d '{"event": "User logged in", "sourcetype": "manual_event", "index": "<INDEX_NAME>"}'To send metrics data (e.g., CPU usage, memory consumption) to a Splunk metrics index, use a similar cURL command but include metrics-specific fields.
curl -k https://<SPLUNK_SERVER>:8088/services/collector \
-H "Authorization: Splunk <HEC_TOKEN>" \
-d '{"time": 1609459200, "event": "metric", "fields": {"_value": 70}, "sourcetype": "_json", "index": "<INDEX_NAME>", "metric_name": "cpu_usage"}'_value field represents the metric value, and metric_name is the name of the metric being recorded.To query a Splunk index using cURL, use the /services/search/jobs endpoint to start a search and then retrieve the results.
curl -k https://<SPLUNK_SERVER>:8089/services/search/jobs \
-u <USERNAME>:<PASSWORD> \
-d search="search index=<INDEX_NAME> sourcetype=<SOURCETYPE> | head 10"This will return a sid (search ID) that you will use in the next step.
curl -k https://<SPLUNK_SERVER>:8089/services/search/jobs/<SEARCH_ID>/results \
-u <USERNAME>:<PASSWORD>sid returned from the previous command./services/collector/event endpoint./services/collector endpoint with metric-specific fields./services/search/jobs and retrieve the results using the job’s sid.