HTTP Event Collector(HEC) is a quick and efficient method to send data to Splunk Enterprise. It doesn’t needs any Splunk agent (UF) to monitor data and send in Splunk. We can send any application data from HTTP or HTTPS protocol directly to the Splunk. It is token based authentication where we just need token created by plunk Enterprise host and endpoints of the specific host where we need to send our data, we can also set index and source type while sending data through HEC.
Why is the need of HEC?
Scenario:- There is a Web application which generates data of that particular application.
Data generated need to transfered in Splunk for further Dashboarding process to know insights of that performance of application. So instead of setting UF and getting logs from that application and sending to Splunk Enterprise to Indexed that data. We can directly send that data by HEC which is more time consuming and not required any installation of Splunk Agents. From any app or website generating data we can input data into Splunk by HEC.
Requirements:-
Token – For sending data to Splunk enterprise proper authentication is required from which data can get in secure way Splunk generate a 128-bit GUID Token which is unique key which is used for authentication while sending and receiving data
Protocol – HTTP or HTTPS
Host IP – Splunk host IP where we want to send data
Endpoints – If raw event or unstructured data – /services/collector/raw
If structured data (json) – /services/collector
Syntax for endpoints – ://:/endpoints -H “Authorization:Splunk ” -d “”
Onboarding Process by HECTo enable HTTP event collector go to Settings ->Data Inputs ->HTTP Event Collector
Enable HEC by editing Global Settings
In All Token click on Enable it will let data to get input using that token
In Default sourcetype select any sourcetype e.g. _json,csv
Default index can be set to main or else any new index which you want your data to be indexed.
Check Enable SSL if you want to send data from HTTPS protocol, if not checked data can be send on HTTP protocol.
Default Output group is for when you get data from HEC and if want to forward data to any other indexer we can set their output group
HTTP Port Number is set to 8088, it will listen on this port.
There we can see no token is available to create a new token Click on New Token
Create a name for your token other fields can be left optional.
Select App Context as Search & Reporting App
Also select indexes, here we can select multiple indexes where we can indexed our data coming from HEC default index should be set it could be main or any other.
Review the details and click on Submit
After Submitting we can see token value is generated
Details of the Token it can be seen in Settings ->Data Inputs ->HTTP Event Collector
In case we want to check details or edit again Click on Edit
Now Token is generated using this token we can send data to splunk
For sending data from HEC to splunk we can run this API on any source e.g.
Terminal,cmd
Example:- curl -k https://stackname.example.com:8088/services/collector/event -H “Authorization: Splunk B5A89*” -d ‘{“event”: “hello world”}’
curl -k http://35...***:8088/services/collector/raw -H "Authorization:Splunk b8c8eae2-*-**" -d "axy,pqr,qbc,mnt"Protocol is http
Splunk Enterprise IP – 35...***
Port – 8088
If we are sending unstructured data then endpoints would be /services/collector/raw
If data is structured endpoints would be /services/collector
After running this API success message is generated means data is successfully send to splunk To check go to splunk and check index=main
The data we sent by HEC using cmd is been indexed successfully.
If you are still facing issue regarding http event collector onboarding topic Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉
