Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Set up and use HTTP Event Collector

HTTP Event Collector (EC) is an endpoint that lets you send application events into Splunk Enterprise using the HTTP or Secure HTTP (HTTPS) protocols. Event Collector uses an authentication model based on tokens that you generate. You then configure a logging library or HTTP client with this token to send data to EC in a specific format. This process eliminates the need for a forwarder when sending application events.

EC was created with application developers in mind, so that all it takes is a few lines of code added to an app for the app to send data. Also, EC is token-based, so you never need to hard-code your Splunk Enterprise credentials in your app or supporting files.

EC runs as a separate app in Splunk Enterprise called splunk_httpinput and stores its input configuration there in $SPLUNK_HOME/etc/apps/splunk_httpinput/local.

About Event Collector Tokens

Tokens are entities that let logging agents and clients connect to the HTTP Event Collector endpoint. Each token has a token value: a 32-bit number that agents and clients use to authenticate their connections to EC. When they connect, they present this token value. If EC has the token value configured and it is active, EC accepts the connection and the agent can then begin delivering its payload of application events in JavaScript Object Notation (JSON) format.

EC receives the events and Splunk Enterprise indexes them based on the configuration of the token that the agent used to connect. Splunk Enterprise uses the source, source type, and index that was specified in the token. If a forwarding output group configuration exists, Splunk Enterprise then forwards the application events to other indexers as the output group defines them.

Configure HTTP Event Collector in Splunk Web

Enable HTTP Event Collector

Before you can use Event Collector to receive events through HTTP, you must enable it. You enable EC through the "Global Settings" dialog box in the EC management page.

1. From the system bar, click Settings > Data Inputs.

2. On the left side of the page, click HTTP Event Collector. The EC management page loads.

3. In the upper right corner, click Global Settings.

63 HTTPEC GlobalSettings.png

4. In the All Tokens toggle button, select Enabled.

5. To set the source type for all EC tokens, select a category from the Default Source Type drop-down, then select the source type you want. You can also type in the name of the source type in the text field above the drop-down before choosing the source type.

6. To set the default index for all EC tokens, choose an index in the Default Index drop-down.

7. To set the default forwarding output group for all EC tokens, choose an output group from the Default Output Group drop-down.

8. To use a deployment server to handle configurations for EC tokens, click the Use Deployment Server check box.

9. To have EC listen and communicate over HTTPS rather than HTTP, click the Enable SSL checkbox.

10. To specify the port number that EC listens on, enter a number in the HTTP Port Number field.

Note: To ensure that proper communication happens between logging agents and EC, confirm that no firewall blocks the port number specified in the HTTP Port Number field, either on the agents, the Splunk Enterprise instance that hosts EC, or in between.

11. To save your settings, click Save. The dialog box disappears and Splunk Enterprise saves the global settings and returns you to the EC management page.

Create an Event Collector token

To use the HTTP Event Collector, you must configure at least one token. The token is what clients and agents use when they connect to Event Collector to send data.

1. From the Settings menu, select Add Data.

2. In the left pane, select HTTP Event Collector. The right pane populates with fields for EC end point.

3. In the Name field, enter a name for the token that describes its purpose and that you will remember.

4. (Optional) In the Source name override field, enter a name for the source type that Splunk Enterprise should assign to events that this end point generates.

5. (Optional) In the Description field, enter a description for the input.

6. (Optional) In the Output Group field, select an existing forwarder output group by picking it in the drop-down list.

Note: Define output groups in outputs.conf. See Configure forwarders with outputs.conf in the Forwarding manual. You can also set up forwarding in Splunk Web, which generates a default output group called default-autolb-group.

7. Click Next. The Input Settings page displays.

8. Make edits to source type and confirm the index you want Splunk Enterprise to send EC events to. See Modify input settings.

9. Click Review. Confirm that all settings for the end point are what you want. If you need to change settings, click the gray < button at the top of the page.

10. If all settings are what you want, click Next. The success page loads and displays the token value that Event Collector generated. You can copy this token value from the displayed field and paste it into another document for reference later. See About Event Collector tokens.

Modify an Event Collector token

63 HTTPEC EditToken.png

You can make changes to an EC token after you have created it. Visit the EC management page and edit a token to change any of its characteristics, including its name, description, default source type, default index, and output group.

To change the properties of a token:

1. Go to the EC management page. From the Settings menu, select Data Inputs.

2. Select HTTP Event Collector.

3. Locate the token that you want to change in the list.

4. In the Actions column for that token, click Edit. You can also click the link to the token name.

5. Edit the description of the token by entering updated text in the Description field.

6. (Optional) Update the source value of the token by entering text in the Source field.

7. (Optional) Choose a different source type by selecting it in the Source Type drop-down. First choose a category, then select a source type in the pop-up menu that appears. You can also type in the name of the source type in the text box at the top of the drop-down.

63 HTTPEC EditToken ST.png

8. (Optional) Choose a different index by selecting it in the Available Indexes pane of the Select Allowed Indexes control. The index moves to the Selected Indexes pane of the control.

9. (Optional) Choose a different output group from the Output Group drop-down.

10. Click Save. The dialog closes and Splunk Enterprise returns you to the EC management page.

Delete an Event Collector token

You can also delete an EC token if you don't plan to use it any more. Deleting an EC token does not affect other EC tokens, nor does it disable the EC endpoint.

Caution: You cannot undo this action. Agents that use this token to send data to Splunk Enterprise will no longer be able to authenticate with the token. You must generate a new token and change the agent configuration to use the new token value.

To delete an EC token:

1. Go to the EC management page. From the Settings menu, select Data Inputs.

2. Select HTTP Event Collector.

3. Locate the token that you want to delete in the list.

4. In the Actions column for that token, click Delete.

5. In the Delete Token dialog, click Delete. Splunk Enterprise deletes the token and returns you to the EC management page.

Enable and disable Event Collector tokens

You can enable or disable a single EC token from within the EC management page. Changing the status of one token does not change the status of other tokens. To enable or disable all tokens, use the Global Settings dialog. See Enable the HTTP Event Collector.

To toggle the active status of an EC token:

1. Go to the EC management page.

2. Locate the token whose status you want to toggle.

3. In the Actions column for that token, click the Enable link (if the token is active) or the Disable link (if the token is inactive.) The token status toggles immediately and the link changes to Enable or Disable based on the changed token status.

HTTP Event Collector for developers

You have several options within your developer environment for using HTTP Event Collector. You can use the Splunk Java, JavaScript (Node.js), and .NET logging libraries, which are compatible with popular logging frameworks. Or you can make an HTTP request to EC by using an HTTP client and sending events encoded in JSON. The curl utility that comes with many *nix operating systems can be used to test EC connectivity and payload delivery.

Example

This example POST request is made to port 8088 and uses HTTPS for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

JSON

The following curl statement uses an example HTTP Event Collector token (B5A79AAD-D822-46CC-80D1-819F80D7BFB0), and uses https://localhost as the hostname. Replace these values with your own before executing this statement. You must supply the "event" keyword in the statement.

JSON Request
curl -k  https://localhost:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'
JSON Response
{"text": "Success", "code": 0}

More information

You can find more developer content on using HTTP Event Collector on the Splunk Developer Portal. For a complete walkthrough of using HTTP Event Collector, see HTTP Event Collector walkthrough, also on the Splunk Developer Portal.

PREVIOUS
Monitor Windows network information
  NEXT
Monitor First In, First Out (FIFO) queues

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters