Splunk Metrics {"text":"No data","code":5} error

0
votes

I'm trying to send metrics to Splunk via HEC, here's my curl command:

curl -k https://www.website.com                    \
-H "Authorization: Splunk password"       \
-d '{"index":"index-name","time": 313423232.000,"event":"metric","source":"disk","sourcetype":"perflog",
"host":"host_1.splunk.com","value":85,"fields":{"region":"us-west-1","datacenter":"dc1","rack":"63",
"os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0",
"service_environment":"test","path":"/dev/sda1","fstype":"ext3","metric_name:cpu.idle": 13.34}}'

And in return i'm getting: {"text":"No data","code":5}

This is weird because it was working earlier, all I added was "value":85. Could the issue be the website i'm sending to?

Some suggestions were mismatched quotes, and the fact that HEC only supports a specific set of known fields, but i don't think that's the issue i'm having here because i tried running the same curl command with only index, source, time, host, sourcetype, and event and got the same error code.

1
curlmetricssplunk
What HEC endpoint are you using? Have you tried "value":"85"?RichG

1 Answers

1
votes

To send a metric to Splunk HEC, you need to include the metric value in a field called _value. You also had a few errors in the last parameter in your example.

The following request should be sufficient.

curl -k https://www.website.com                    \
-H "Authorization: Splunk password"       \
-d '{"index":"index-name","time": 313423232.000,"event":"metric","source":"disk","sourcetype":"perflog",
"host":"host_1.splunk.com","fields":{"region":"us-west-1","datacenter":"dc1","rack":"63",
"os":"Ubuntu16.10","arch":"x64","team":"LON","service":"6","service_version":"0",
"service_environment":"test","path":"/dev/sda1","fstype":"ext3","metric_name": "cpu.idle", "_value": 13.34}}'