Configure the HTTP Event Collector to collect entity integration data in ITE Work
(ITE Work) uses the HTTP Event Collector (HEC) to receive data from entity integrations. You have to enable HEC and set up HEC tokens before you configure integrations and start analyzing entity data. Create HEC tokens for entity integration data sources that send data via HTTPS.
You can create one HEC token that sends data to the default indexes. You can also create additional HEC tokens to send specific data sources to specific indexes. For example, you can send *nix metrics data to a metrics index called *nix_metrics.
You need to configure HEC tokens that send data to specific index types for the following integrations. The index names are default indexes ITE Work creates for entity integrations. If you want to send entity integration data to different indexes, see Use custom indexes in ITE Work.
Entity integration | Events index | Metrics index |
---|---|---|
*nix | Not applicable. Because you collect *nix entity event data with a universal forwarder, you don't need to set up HEC to receive *nix entity events. |
itsi_im_metrics |
You can create a single HEC token if you specify the main, em_meta, and itsi_im_metrics indexes in the HEC token's configuration and define the itsi_im_metrics index as the default index. You have to specify the default index so entity integrations that don't use the other indexes send data to the correct index.
Prerequisites
Requirement | Description |
---|---|
HEC enabled | You have to enable HEC and create an HEC token to receive AWS and Microsoft Azure entity integrations. If you're using Splunk Cloud Platform, contact Splunk Support if you don't already have HEC enabled. For more information, see Enable HTTP Event Collector in the Splunk Enterprise Getting Data In guide. |
Steps
Follow these steps to configure an HEC token for ITE Work entity integrations. You can configure an HEC token in Splunk Web or with configuration files.
Configure an HEC token in Splunk Web
These steps show you how to create an HEC token in Splunk Web to collect data for every integration in ITE Work. For more information about configuring an HEC token in Splunk Web, see Set up and use HTTP Event Collector in Splunk Web in the Splunk Enterprise Getting Data In guide.
- In Splunk Web, log in as an administrator.
- Go to Settings > Data inputs, select HTTP Event Collector, and click Global Settings. Ensure that All Tokens is set to Enabled. Also take note of the HTTP Port Number because you will need it later when you start adding data. When you're done, click Save.
- Click New Token.
- Type name of token.
- Click Next in Add Data.
- If you're going to use the HEC token to collect AWS CloudWatch Events and CloudWatch Logs data, check Enable indexer acknowledgement under Select Source. If you're not going to use the HEC token to collect data from those sources, don't check this option.
- For Input Settings, these are the required settings for ITE Work integrations in a single HEC token:
Setting Value Source type itsi_im_metrics
App context Splunk_TA_Infrastructure Select Allowed Indexes - main
- itsi_im_metrics
Default Index itsi_im_metrics - Review the settings and then generate the HEC Token to send data over HEC to the Splunk Enterprise instance running ITE Work.
- Confirm the token was created and copy the Token Value. Along with the HTTP Port Number you took note of earlier, you'll use the token when you configure entity integrations.
Configure an HEC token from inputs.conf
These steps show you how to set up an HEC token with conf files to collect metrics data from collectd and fluentd in ITE Work. For more information about configuring an HEC token with conf files, see Set up and use HTTP Event Collector with configuration files in the Splunk Enterprise Getting Data In guide.
- Go to the $SPLUNK_HOME/etc/system/local directory.
- Open the inputs.conf file with a text editor. If it doesn't exist yet, create it.
- Enter this HEC token stanza to create a single HEC token for every ITE Work integration.
[http://<token_name>] disabled = 0 index = itsi_im_metrics indexes = itsi_im_metrics, main sourcetype = itsi_im_metrics token = <string>
- Save your changes and close the file.
- Restart splunkd:
$SPLUNK_HOME/bin/splunk restart
What is an entity integration? | Use custom indexes in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.13.0, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1
Feedback submitted, thanks!