In this post, we will discuss what the HTTP Event Collector (HEC) is, the benefits of using it, and how it works on Splunk Enterprise and Splunk Cloud.
What is HEC in Splunk?
HEC stands for HTTP Event Collector. It allows you to send data to a Splunk deployment over HTTP and HTTPS protocols. HEC is an efficient and fast way to send data to Splunk deployment using a token-based authentication method.
The tokens are used to let the HTTP client and the logging agent connect to the HEC inputs. Each connection has a unique value, which is a 128-bit number that is represented as a 32-character globally unique identifier (GUID). Both Agent and client use the token to authenticate their connections to HEC. When the client establishes a connection it presents the token value, if the token is valid, it accepts the connection, and the client will deliver the events from the application in either JSON or text. Once the Event is received by Splunk, the event is indexed based on the configuration used to set up the token.
How to Configure HEC on Splunk
- Click Settings > Add Data.
- Click monitor.
- Click HTTP Event Collector.
- In the Name field, enter a name for the token.
- (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
- (Optional) In the Description field, enter a description for the input.
- (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
- Click Next
- (Optional) Make edits to source type and confirm the index where you want HEC events to be stored. See Modify input settings.
- Click Review
- Confirm that all settings for the endpoint are what you want.
- If all settings are what you want, click Submit
- (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.
How to Send Data to the HTTP Event Collector
Before you could send data to HEC the following requirements must be met:
- HEC must be enabled
- You must have an active HEC Token available.
- You must use an active token to authenticate into HEC
- You must format the data that goes to HEC in a certain way
HEC Example
Once we created the HECinput for test_token, we use the token value to send sample logs to Splunk using curl. In the example below we are using curl to send the event hello world with sourcetype demo to Splunk.
curl -k https://127.0.0.1:8088/services/collector/event -H 'Authorization: Splunk 9d952d27-5589-4ece-98b0-58faf9a1dec6' -d '{"sourcetype": "demo", "event":"Hello, world!"}'
Once you run the curl command you should get the following response:
{”text”:”Success”, ”code”:0)
If you do not get a Success message, go back and verify your curl entry and check to make sure the token value is correct.
After the successful response from curl go into Splunk and do a search for the index that you set the HEC token for and you should see an event with sourcetype demo and Event with “Hello, world!”.
Send Data to HEC on Splunk Cloud Platform
The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
The standard form for the HEC URI in Splunk Cloud Platform is as follows:
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:
<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>
Where:
<protocol> is either http or https
- You must add http-inputs- before the <host> on AWS.
- You must add http-inputs. before the <host> on GCP.
<host> is the Splunk Cloud Platform instance that runs HEC
- You must add the domain .splunkcloud.com after the <host>
<port> is the HEC port number
- 8088 on Splunk Cloud Platform free trials
- 443 by default on Splunk Cloud Platform instances
<endpoint> is the HEC endpoint you want to use. In many cases, you use the
/services/collector/event endpoint for JavaScript Object Notation (JSON)-formatted events or
- the services/collector/raw endpoint for raw events
Send Data to HEC on Splunk Enterprise
The standard form for HEC URI in Splunk Enterprise is
<protocol>://<host>:<port>/<endpoint>
Where:
<protocol> is either http or https
<host> is the Splunk instance that runs HEC
- <port> is the HEC port number, which is 8088 by default, but you can change in the HEC Global Settings
- <endpoint> is the HEC endpoint you want to use. In many cases, you use the /services/collector/event endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw event
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below: