Data Manager

User Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Data Manager. Click here for the latest version.
Acrobat logo Download topic as PDF

HTTP Event Collector (HEC) configuration reference

The HTTP Event Collector (HEC) lets you send data and application events to your Splunk platform deployment over the HTTP and Secure HTTP (HTTPS) protocols. Data Manager creates HEC tokens for each of the following data sources:

Data Source HEC token name
AWS Cloudtrail data-manager-cloudtrail_<input_id>
Amazon GuardDuty data-manager-guardduty_<input_id>
AWS Security Hub data-manager-security_<input_id>
AWS IAM Access Analyzer data-manager-iam-aa_<input_id>
AWS IAM credential reports and metadata data-manager-iam-cr_<input_id>
AWS CloudWatchLogs data-manager-cwl_<input_id>
AWS Lambdas data-manager-lambda_<input_id>
Azure Active Directory data-manager-azure-ad_<input_id>
Azure Activity Logs data-manager-azure-activity_<input_id>
Google Cloud Platform data-manager-gcp-cloud-logging_<input_id>


  • The <input_id> in each token is a placeholder. It will be replaced by a real input id. For example, data-manager-gcp-cloud-logging_<input_id> would be data-manager-gcp-cloud-logging_f7b76892-f3f3-4103-8008-5f07202a2b97.
  • Check if the HEC token has been created successfully. Each HEC token name has a Data Manager input ID in it. You can find the input_id from the URL in the Data Input Details page for that input.
  • Check if the HEC token is in enabled state. If it is disabled, enable it.
  • For CloudTrail, GuardDuty, SecurityHub, IAM Access Analyzer, and CloudWatch Logs, the HEC token must have indexer acknowledgement enabled.
  • If any HEC token is missing for an input, delete the input. To learn more about deleting an input, see the Delete Your Data Inputs chapter in this manual.
Last modified on 07 September, 2022
PREVIOUS
GCP Inputs Health
  NEXT
Version management in Data Manager

This documentation applies to the following versions of Data Manager: 1.7.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters