0

In Splunk we have an url, index, token, host, source and sourcetype and with those detail need to post data in splunk using python.

I was able to write a code using requests with URL, index, token and it works

import requests
url='SPLUNK_URL'
Header = {'Authorization': 'Splunk '+'1234567'}
json = {"index":"xxx_yyy", "event": { 'message' : "Value" } }
r = requests.post(url, headers=Header, json, verify=False)

But sometimes get this error ConnectionError: ('Connection aborted.', OSError("(10054, 'WSAECONNRESET')")). How to avoid this error ?

Sapta619
  • 9
  • 7
  • I need more information here. When does the error occurs? How often does the error occurs? – Jackyjjc Aug 08 '19 at 04:32
  • I have scheduled this python script to run at every 1 hour in a day, can see for one time it fails with this error and next hour it sends the data correctly.. Out of 24 times in a day it fails 6-8 times. – Sapta619 Aug 08 '19 at 10:23
  • That is interesting because according to online docs this error means your server closes the connection: https://stackoverflow.com/questions/48370530/how-do-i-solve-a-wsaeconnreset-error Was your Splunk instance being terminated, unavailable or not running stably? – Jackyjjc Aug 09 '19 at 02:02
  • @Jackyjjc my instance was not getting terminated and was running stable. I have a for loop used, so for first iteration of value if it fails can see for next iteration of value it sends data fine and then again in third iteration of value it fails. To avoid that I want to use a retry script so that if it throws exception it will retry to send request again to Splunk, how to achieve that? – Sapta619 Aug 20 '19 at 03:02
  • see https://stackoverflow.com/questions/44448625/how-to-handle-a-connection-error-gracefully-in-requests – Jackyjjc Aug 22 '19 at 02:00

1 Answers1

0

Assuming this is HEC, I would compare the times you receive this error vs times you have issues on receiver, such as high CPU utilization , or internal logs for connection drops etc. That could be your answer as receiver rejects/resets. Also if you are sending directly to Indexer rather than mid instance, I believe there is a common issue for that.

akemko
  • 55
  • 10