Related Answers
Download topic as PDF
HTTP Event Collector Examples
Basic example
This example demonstrates basic HEC usage. It includes the Splunk server address including port and endpoint, the authentication token, and event data and metadata formatted according to the HEC event data format specification.
curl -k "https://mysplunkserver.example.com:8088/services/collector" \
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
-d '{"event": "Hello, world!", "sourcetype": "manual"}'
Batching example
This example demonstrates sending multiple events in one request. Though you can send multiple events in a single request, you can't split one event across multiple requests.
curl -k "https://mysplunkserver.example.com:8088/services/collector" \
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
-d '{"event": "Pony 1 has left the barn"}{"event": "Pony 2 has left the barn"}{"event": "Pony 3 has left the barn", "nested": {"key1": "value1"}}'
Raw example
This example demonstrates sending raw text to HEC. Note the use of the raw endpoint, plus the channel identifier and sourcetype specification, both of which are done using URL query parameters.
curl -k "https://mysplunkserver.example.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=mydata" -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" -d '1, 2, 3... Hello, world!'
Raw example with batching
This example shows how to send raw, batched events to HEC. In this case, we're sending splunkd access logs. We've indicated that the indexer should assign these events the sourcetype of splunkd_access, and specified that they should be indexed by main.
curl -k "https://mysplunkserver.example.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=splunkd_access&index=main" \
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
-d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.917 -0700] "GET /servicesNS/admin/launcher/data/ui/nav/default HTTP/1.0" 200 4367 - - - 6ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.941 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 4ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.954 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 3ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.968 -0700] "GET /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 HTTP/1.0" 200 58672 - - - 5ms'
Indexer acknowledgement example
This example demonstrates how to send events to HEC with indexer acknowledgement enabled. Note that the sole difference between this example and the basic example is the inclusion of a channel identifier. Indexer acknowledgement also works with raw data.
curl -k "https://mysplunkserver.example.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
-d '{"event": "Hello, world!", "sourcetype": "manual"}'
Check acknowledgement status example
This example demonstrates how to check the indexing status of a prior HEC request. Note that we're sending the request to the ack endpoint, and we're including "acks" key, which is set equal to the three acknowledgement identifiers (ackIDs) whose status we want to know.
curl -k "https://mysplunkserver.example.com:8088/services/collector/ack?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
-d '{"acks": [1,3,4]}'
Extract JSON fields example
This example demonstrates how to instruct Splunk Enterprise or Splunk Cloud to extract JSON fields from the events sent to HEC.
curl -k "https://mysplunkserver.example.com:8088/services/collector" \
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
-d '{"sourcetype": "_json", "event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'
Explicit JSON fields example
This example is similar to the previous example, but it explicitly specifies the JSON fields.
curl -k "https://mysplunkserver.example.com:8088/services/collector/event" \
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
-d '{"event": "Hello, world!", "sourcetype": "cool-fields", "fields": {"device": "macbook", "users": ["joe", "bob"]}}'
Basic authentication example
This example demonstrates basic authentication, which is an alternative to the HTTP Authentication that has been demonstrated in all of the previous examples. To use basic auth, place a colon-separated user/password pair in the request after -u as shown here, inserting the token as the <password> and any string (we've used x) as the <user>: "<user>:<password>".
curl -k -u "x:CF179AE4-3C99-45F5-A7CC-3284AA91CF67" "https://mysplunkserver.example.com:8088/services/collector/event" \
-d '{"sourcetype": "mysourcetype", "event": "Hello, world!"}'
|
PREVIOUS HTTP Event Collector REST API endpoints |
NEXT Troubleshoot HTTP Event Collector |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0, 8.1.1
Feedback submitted, thanks!