Splunk® Enterprise

Getting Data In

Download manual as PDF

Download topic as PDF

Set up and use HTTP Event Collector from the CLI

You can use the http-event-collector parameter of the Splunk CLI and its options to administer a HTTP Event Collector instance on a Splunk Enterprise server. This topic lists the available HEC options.

For more information about the CLI, see the following:

CLI syntax

There are two syntaxes to use when you administer HEC via the CLI:

  • The syntax for all other HEC actions (such as creating, deleting, and showing tokens, and so on)
  • The syntax for sending data to HEC

Use the following syntax for all actions except sending data to HEC:

splunk http-event-collector <command> <token-name> [<option2>] [<-parameter1> <value1>] [<-parameter2> <value2>] <data>

All HTTP Event Collector commands (except for send) assume that the first option following the command name is the name of the token. In addition, the create command assumes that the second option is a description of the token in quotation marks.

Use the following syntax for when you want to send data to HEC:

splunk http-event-collector send -uri <uri_value> -name <token-name> <data>

If you want to apply the CLI commands to the global configuration, do not use the -name <token-name> argument. For example, the following enables HTTP Event Collector:

splunk http-event-collector enable -uri <uri_value> <data>

Supported CLI commands

The following HTTP Event Collector-specific CLI commands are supported:

Command Description
create Create a new token.
delete Remove a token.
list Show all available tokens.
update Change token properties.
enable Enable a token.
disable Disable a token.
help Show help.
send Send data to an endpoint.

Supported CLI parameters

HEC supports the following CLI parameters. You must immediately follow a CLI parameter with its value. You must wrap any values that contain spaces in quotation marks.

Parameter Description
-uri The Uniform Resource Identifier (URI) of the Splunk server in the form: scheme://host:port. As an alternative to setting this parameter, you can set the $SPLUNK_URI environment variable instead. The port number to use should be the management port of your Splunk server (by default, 8089), and not the HTTP Event Collector port (by default, 8088).
-auth Splunk server user authentication in the form: username:password. If this parameter is missing, you are prompted for a username and password.
-name The name of the token.
-disabled Whether to disable the token. 1 indicates true; 0 indicates false.
-description A description of the token.
-indexes A list of indexes accepted by the token.
-index The token default index. Splunk Enterprise assigns this value to data that doesn't already have an index value set.
-source The token default source value. Splunk Enterprise assigns this value to data that doesn't already have a source value set.
-sourcetype The token default sourcetype value. Splunk Enterprise assigns this value to data that doesn't already have a sourcetype value set.
-outputgroup The token default outputgroup value. An output group is a group of indexers set up by the Splunk software administrator to index the data. Splunk Enterprise assigns this value to data that doesn't already have an outputgroup value set.
-port The HTTP Event Collector server port. The default value is 8088, but you can change it using this parameter.
-enable-ssl Whether the HTTP Event Collector server protocol is HTTP or HTTPS. 1 indicates HTTPS; 0 indicates HTTP.
-dedicated-io-threads The number of dispatcher threads on the HTTP Event Collector server. The default value is 2. This setting should not be altered unless you have been requested to do so by Splunk Support. The value of this parameter should never be more than the number of physical CPU cores on your Splunk Enterprise server.
-output-format The output format. txt indicates text; json indicates JSON. The default value is txt.

(end table)

Example CLI syntax

The following example CLI entry creates a token called "new-token," assigns it the given URI, gives it a description (in quotation marks), sets it to disabled, and indicates HTTP Event Collector data should be saved to the "log" index.

splunk http-event-collector create new-token -uri https://localhost:8089 -description "this is a new token" -disabled 1 -index log

The following example CLI entry enables the token called "myapp," assigns it the given URI, and sets the user authentication as shown:

splunk http-event-collector enable -name myapp -uri https://localhost:8089 -auth admin:changeme

The following example CLI entry sends data ("this is some data") to HTTP Event Collector using the given token and URI.

splunk http-event-collector send -uri https://localhost:8089 -token my-token {"this is some data"}
Set up and use HTTP Event Collector with configuration files
Use cURL to manage HTTP Event Collector tokens, events, and services

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0


The last example - CLI send data to HEC - should be port 8088?

September 24, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters