Splunk® Data Stream Processor

Connect to Data Sources and Destinations with DSP

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

HTTP Event Collector and the

If you already use Splunk HTTP Event Collector (HEC) to ingest data in the Splunk platform, you can update your data ingestion workflow to use DSP HEC and send your data to DSP instead. Send the events and metrics from your HTTP client to DSP so that you can process your data before sending it to the Splunk platform for indexing.

DSP HEC doesn't support the same tokens as Splunk HEC, so you'll need to create a new token and configure your HTTP client to use it. You can then use the Splunk DSP Firehose source function in a data pipeline to receive data from the HTTP client. DSP HEC uses the DSP API Gateway port to connect to the Splunk Data Stream Processor. See Get data from HTTP clients into DSP using the Splunk HEC API for instructions on how to redirect your Splunk HEC workflow to DSP.

DSP HEC supports the following Splunk HEC endpoints:

  • /services/collector
  • /services/collector/event
  • /services/collector/event/1.0

You can send metrics and events to any of these endpoints.

Differences between Splunk HEC and DSP HEC

Allows events and metrics to be written directly to the Splunk platform. Allows events and metrics to be written to DSP. See Connecting your DSP pipeline to a Splunk index if the final destination for the ingested data is the Splunk platform.
Splunk Indexer error codes can be returned directly to the HTTP client. Splunk Indexer error codes return an Invalid Data Format error in DSP HEC.
Each HEC token is associated with a set of authorized indexes. An error is returned if an event refers to another index. DSP HEC can't directly control which index an event is written to. You can set default values for the index fields in the DSP HEC tokens, but you'll also need to configure your pipeline to route the data according to the index value. See Connecting your DSP pipeline to a Splunk index for more information on configuring index routing.
A typical Splunk HEC token looks like this: ef976ef0-dc7b-46b9-aa2e-c407cad884e2 The DSP HEC token format is dsphec:sha256:UUID. A typical DSP HEC token looks like this:


Asynchronous event acknowledgment is supported via the /services/collector/ack API endpoint. DSP HEC does not support the asynchronous ACK protocol or the /services/collector/ack endpoint. If an HTTP 200 response is received from DSP HEC, the events in the request have been delivered to the Splunk DSP Firehose and are available for processing in your pipeline. No ACK is necessary.
Raw events are supported via the /services/collector/raw API endpoint. Raw events are not supported.
MINT formatted data is supported via the /services/collector/mint API endpoint. MINT formatted data is not supported.
Uses port 8088 to connect to Splunk Enterprise. Uses port 31000 to connect to the Splunk Data Stream Processor API services.

See also

To learn more about Splunk HEC, see the following pages from the Splunk Enterprise Getting Data In manual:

Last modified on 22 June, 2021
Formatting data into the Splunk Infrastructure Monitoring metrics schema
Get data from HTTP clients into DSP using the Splunk HEC API

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters