What I am looking for is a free form non-POST to web API option.  I have non-conforming JSON coming from nprobe that I want to directly stream into an open port, ingest it, and write custom dashboards with the data. I have access via liagent to the locally dumped text data but it does not support adding labels, therefore field extraction gets complex and slow because I have to build fairly complex regex statements to ensure the proper fields are associated with the columns.

Still not sure I am entirely following. In regards to labels are you referring to the agent? It supports tags, which should be the same thing. If you are interested in better parsing options you might want to look on loginsight.vmware.com and the tech preview program. As for the ingestion API, it does not care the format of your event you just need to send it via the REST API.

I apologize, I am trying to be vague to be helpful in the 'bigger picture' but not getting my specific example down.  Broadly, I am asking for acceptance of constant flowing stream(s) of JSON or other structured data to a TCP port.  Here is an example of part of a stream nprobe sends to a tcp port (Splunk can read):

{"IPV4_SRC_ADDR":"xxx.xxx.xxx.xxx","L4_SRC_PORT":7000,"IPV4_DST_ADDR":"xxx.xxx.xxx.xxx","L4_DST_PORT":37523,"PROTOCOL":6,"IN_BYTES":542100,"OUT_BYTES":1557981,"FIRST_SWITCHED":1431101095,"LAST_SWITCHED":1431101236,"IN_PKTS":10425,"OUT_PKTS":13453,"IP_PROTOCOL_VERSION":4,"APPLICATION_ID":"0","L7_PROTO_NAME":"Unknown","ICMP_TYPE":0,"FLOW_START_MILLISECONDS":1431101095000,"FLOW_END_MILLISECONDS":1431101236000,"APPL_LATENCY_MS":0.000,"SRC_IP_COUNTRY":"","SRC_IP_CITY":"","DST_IP_COUNTRY":"","DST_IP_CITY":"","TOTAL_FLOWS_EXP":64890}

I do not have the option to post this data to a web page, just stream to an IP:Port.

Here is the nprobe help line:

      --tcp <server:port>                 | Deliver flows in JSON format to the specified server via TCP.

I can imagine other instances this would be helpful - ingesting data from a tcp port outside of syslog or Restful API posts.  Please let me know if you would like more information - I know I am so immersed in the issue I miss the bigger picture and have a difficult time explaining the issue at hand.

Thanks!

Pete

I have another API issue - I am attempting to stream data via ntopng to the API and getting further.  This is what my packet capture tells me (just small sample):

POST /api/v1/messages/ingest/42030d8f-a682-71da-8206-cadaf18b370e HTTP/1.1

Host: 10.128.234.14:9000

Connection: keep-alive

Accept: application/json

User-Agent: li-agent-2.5.0.2347850 Beta

Content-Type: application/json; charset=utf-8

Content-Encoding: gzip

Content-Length: 338

^_<8b>^CU<91 <85>ÿK<9f>  R<95><89>¼±<82>Y3 ­^Z²<98><86>        N^R^D#]ܲòßW`^Z÷öÝsNNso^?À©hÛ

ì£h<81>ûö^CÊ^\¸3ÇY:3Û^@<87>²¨ò 82>fò^H^L°ojYÔR<8b><93><<93>ÙäP5×v2µ mÙ<96>#à^S´!4^G^UtƽáØ´rÀÇ<86>Z6g³*ß/Ùå

Û¼<96>íÞ,òOÐí^L <8b>¯><80>éf.X<82><84>çû<89>

G¦$ájp|ÆïNÏ<83>C^S     "¡Â±xNyÀ^TY ÇØ^Vsô^Rø*ô^^'<9d>§¯|<8c>^O<80>©¸<95><89>M<90>0LbåQ^ZbäqÍ^Bë<86>Å^X^Q±^W^E

£<88>

<9e>Ò@­B²^U<8c>{        ^W^Q^NCÌ^BDb<9f><8d>z^PûÿÕ¾T<84>^^^Ob<94><8a><88>©~Ký8"ë<98>'é}Ä<Uý<9a>^OÖmÔ<96>¾¬,õ§Êìt^F.<9

c>Ï <84>ËÅ^TN<97>V·ë~^Ar<8d>^S&ð^A^@^@HTTP/1.1 200 OK

ACCESS-CONTROL-EXPOSE-HEADERS: X-LI-Build

Content-Type: application/json; charset=utf-8

Date: Fri, 08 May 2015 21:15:21 GMT

X-LI-Build: 2347850

Content-Length: 58

{"status":"ok","message":"messages ingested","ingested":1}POST /api/v1/messages/ingest/42030d8f-a682-71da-8206-cadaf1

8b370e HTTP/1.1

Host: 10.128.234.14:9000

Connection: keep-alive

Accept: application/json

User-Agent: li-agent-2.5.0.2347850 Beta

Content-Type: application/json; charset=utf-8

Content-Encoding: gzip

Content-Length: 3875

Expect: 100-continue

HTTP/1.1 100 Continue

Which appears to be ingesting data but I do not see it in interactive analytics.  Not sure what is going on but I am pretty sure it is me.  I need to walk away for a bit and look at this tomorrow or Monday.  As always, any insight or ideas are appreciated!

Ah, now I understand the stream request -- can you please open this as a feature request on loginsight.vmware.com?