
Use cURL to manage HTTP Event Collector tokens, events, and services
Manage HTTP Event Collector tokens with cURL
All HTTP Event Collector token operations are available via the token management endpoint using cURL. The tokens are stored at the following REST API endpoint, assuming your Splunk server management address is https://localhost:8089:
https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http/
List the existing HTTP Event Collector tokens using cURL
You can list the existing tokens using cURL. For example, the following example cURL command lists the tokens that exist on the Splunk server at https://localhost:8089 via the user "admin:"
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http
Create an HTTP Event Collector token using cURL
To create a token using cURL, use the name property. For example, the following example CLI command creates a token called "mytoken," on the Splunk server at https://localhost:8089 via the user "admin:"
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http -d name=mytoken
Edit an HTTP Event Collector token using cURL
You can update any token property (except its name or value) using cURL. For example, the following example cURL command updates the description of the "mytoken" token on the Splunk server at https://localhost:8089 via the user "admin:"
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http/mytoken -d description=abc
You can update any of the following parameters:
Parameter | Description |
---|---|
disabled | Whether to disable the token. 1 indicates true; 0 indicates false. |
description | A description of the token. |
indexes | A list of indexes accepted by the token. |
index | The token's default index. Splunk Enterprise assigns this value to data that doesn't already have an index value set. |
source | The token's default source value. Splunk Enterprise assigns this value to data that doesn't already have a source value set. |
sourcetype | The token's default sourcetype value. Splunk Enterprise assigns this value to data that doesn't already have a sourcetype value set. |
outputgroup | The token's default outputgroup value. An output group is a group of indexers set up by the Splunk software administrator to index the data. Splunk Enterprise assigns this value to data that doesn't already have an outputgroup value set. |
port | The HTTP Event Collector server port. The default value is 8088, but you can change it using this parameter. |
enableSSL | Whether the HTTP Event Collector server's protocol is HTTP or HTTPS. 1 indicates HTTPS; 0 indicates HTTP. |
dedicatedIoThreads | The number of dispatcher threads on the HTTP Event Collector server. The default value is 2. This setting should not be altered unless you have been requested to do so by Splunk Support. The value of this parameter should never be more than the number of physical CPU cores on your Splunk Enterprise server. |
useACK | Returns an acknowledgment when events are indexed. Set to 1 to enable. |
Enable or disable an HTTP Event Collector token using cURL
You can enable or disable a token using cURL. Changing the status of one token does not change the status of other tokens. To enable or disable a token, use the POST command, the token name, and the enable or disable endpoint, respectively. For example, the following example disables the token called "mytoken" on the Splunk server at https://localhost:8089 via the user "admin:"
curl -k -X "POST" -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http/mytoken/disable
Similarly, the following example enables the token called "mytoken" on the Splunk server at https://localhost:8089 via the user "admin:"
curl -k -X "POST" -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http/mytoken/enable
Enable or disable HTTP Event Collector using cURL
You can enable or disable HTTP Event Collector itself by making a bulk change to all tokens using cURL. Simply leave out a token name when using the enable or disable endpoint. To enable or disable HTTP Event Collector, use the POST command and the enable or disable endpoint, respectively. For example, the following example disables HTTP Event Collector on the Splunk server at https://localhost:8089 via the user "admin:"
curl -k -X "POST" -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http/http/disable
Delete an HTTP Event Collector token using cURL
To delete a token using cURL, use the DELETE command and the token name. For example, the following example cURL command deletes the token called "mytoken" from the Splunk server at https://localhost:8089 via the user "admin:"
curl -k -X "DELETE" -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http/mytoken
Manage HEC events and services with cURL
The following commands show you how you can send events to and manage HEC services. They are not an all-inclusive list but give you an idea of the things that can be accomplished with HEC.
Send an event to HEC
The following example demonstrates basic HEC usage. It includes the Splunk server address with port and endpoint, the authentication token, and event data and metadata formatted according to the HEC event data format specification.
curl -k "https://http-inputs-mysplunkserver.splunkcloud.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "manual"}'
Send an event to HEC using basic authentication
This example demonstrates basic authentication, which is an alternative to the HTTP Authentication. To use basic authentication, submit a colon-separated user/password pair in the request as the -u
argument. using any string as the username and the token as the <password>: <user>:<password>
.
# Basic auth curl -k -u "x:CF179AE4-3C99-45F5-A7CC-3284AA91CF67" "https://http-inputs-mysplunkserver.splunkcloud.com:8088/services/collector/event" \ -d '{"sourcetype": "mysourcetype", "event": "Hello, world!"}'
Send multiple events to HEC in one request
The following example demonstrates sending multiple events in one request. Though you can send multiple events in a single request, you cannot split one event across multiple requests.
curl -k "https://http-inputs-mysplunkserver.splunkcloud.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Pony 1 has left the barn"}{"event": "Pony 2 has left the barn"}{"event": "Pony 3 has left the barn", "nested": {"key1": "value1"}}'
Send raw text to HEC
The following example demonstrates sending raw text to HEC. Note the use of the raw endpoint, plus the channel identifier and sourcetype specification, both of which are done using URL query parameters.
curl -k "https://http-inputs-mysplunkserver.splunkcloud.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=mydata" -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" -d '1, 2, 3... Hello, world!'
Send raw batched events to HEC
The following example demonstrates how to send raw, batched events to HEC. In this case, the command sends splunkd access logs. It indicates that the indexer should assign these events the sourcetype of splunkd_access
, and specified that they should be sent to the main
index.
# HEC Raw batching curl -k "https://http-inputs-mysplunkserver.splunkcloud.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=splunkd_access&index=main" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.917 -0700] "GET /servicesNS/admin/launcher/data/ui/nav/default HTTP/1.0" 200 4367 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.941 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 4ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.954 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 3ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.968 -0700] "GET /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 HTTP/1.0" 200 58672 - - - 5ms'
Send events to HEC with indexer acknowledgement enabled
The following example demonstrates how to send events to HEC with indexer acknowledgement enabled. Note that the sole difference between this example and the basic example is the inclusion of a channel identifier. Indexer acknowledgement also works with raw data.
# Indexer ack curl -k "https://http-inputs-mycompany,splunkcloud.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "manual"}'
Check HEC indexer acknowledgement status
The following example demonstrates how to check the indexing status of a prior HEC request. It sends the request to the ack
endpoint, and includes the acks
key, which is set to the three acknowledgement identifiers (ackIDs) whose status is queried.
# Check ack status curl -k "https://http-inputs-mysplunkserver.splunkcloud.com:8088/services/collector/ack?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"acks": [1,3,4]}'
Extract JSON fields from events sent to HEC
The following example demonstrates how to instruct Splunk Enterprise or Splunk Cloud to extract JSON fields from the events sent to HEC.
# Extracting JSON fields curl -k "https://http-inputs.mysplunkserver.splunkcloud.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"sourcetype": "_json", "event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'
Extract Explicit JSON fields from events sent to HEC
The following example is similar to the previous example, but it explicitly specifies the JSON fields.
# Explicit JSON fields curl -k "https://mysplunkserver.example.com:8088/services/collector/event" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "cool-fields", "fields": {"device": "macbook", "users": ["joe", "bob"]}}'
PREVIOUS Set up and use HTTP Event Collector from the CLI |
NEXT About HTTP Event Collector Indexer Acknowledgment |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0, 8.1.1
Feedback submitted, thanks!