HTTP Event Collector examples

The HTTP Event Collector (HEC) input has a myriad of use cases. The following examples show how you can use HEC to index streams of data. They also show how you must send data to the HEC input. You can use these examples to model how to send your own data to HEC in either Splunk Cloud or Splunk Enterprise.

The examples on this page use the curl command. Typically, the example commands use the following arguments:

The -k argument is insecure, so don't use it to check security certificates. Don't use this argument in a production environment or where security is necessary.

There's no requirement to use the curl command to submit events to HEC. You can use any tool or application that is compatible with the HTTP and REST specifications.

Example 1: Basic example

This example demonstrates basic HEC usage. It includes the Splunk platform instance address, port, and REST endpoint, as well as the authentication token, event data, and metadata. The example is formatted according to the HEC event data format specification.

curl -k "https://mysplunkserver.example.com:8088/services/collector" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"event": "Hello, world!", "sourcetype": "manual"}'

Example 2: Send multiple events to HEC

This example demonstrates how to send multiple events in one request. While you can send multiple events in a single request, you can't split one event across multiple requests.

curl -k "https://mysplunkserver.example.com:8088/services/collector" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"event": "Pony 1 has left the barn"}{"event": "Pony 2 has left the barn"}{"event": "Pony 3 has left the barn", "nested": {"key1": "value1"}}'

Example 3: Send raw text to HEC

This example demonstrates sending raw text to HEC. To send raw text, you must use the raw endpoint, plus the channel identifier and source type specification. You submit both of these settings using URL query parameters.

curl -k "https://mysplunkserver.example.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=mydata" -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" -d '1, 2, 3... Hello, world!'

Example 4: Send multiple raw text events to HEC

This example demonstrates how to send raw, batched events to HEC. In this case, the command sends splunkd access logs. The command indicates that the indexer is to assign these events the source type of splunkd_access, and specifies that they are to go into the main index.

curl -k "https://mysplunkserver.example.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=splunkd_access&index=main" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.917 -0700] "GET /servicesNS/admin/launcher/data/ui/nav/default HTTP/1.0" 200 4367 - - - 6ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.941 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 4ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.954 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 3ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.968 -0700] "GET /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 HTTP/1.0" 200 58672 - - - 5ms'

Example 5: Indexer acknowledgement of HEC event data

This example demonstrates how to send events to HEC with indexer acknowledgement of incoming HEC data. The difference between this example and the basic example is the inclusion of a channel identifier. Indexer acknowledgement also works with raw data.

curl -k "https://mysplunkserver.example.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"event": "Hello, world!", "sourcetype": "manual"}'

Example 6: Check indexer acknowledgement status

This example demonstrates how to check the indexing status of a previous HEC request. The command sends the request to the ack REST endpoint, and includes the acks key, which you set to be equal to the three acknowledgement identifiers whose status you want to see.

curl -k "https://mysplunkserver.example.com:8088/services/collector/ack?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"acks": [1,3,4]}'

Example 7: Extract JSON fields

This example demonstrates how to instruct the Splunk platform to extract JSON fields from the events you send to HEC.

curl -k "https://mysplunkserver.example.com:8088/services/collector" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"sourcetype": "_json", "event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'

Example 8: Explicit JSON fields

This example is similar to the previous example, but it explicitly specifies the JSON fields.

curl -k "https://mysplunkserver.example.com:8088/services/collector/event" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"event": "Hello, world!", "sourcetype": "cool-fields", "fields": {"device": "macbook", "users": ["joe", "bob"]}}'

Example 9: Basic authentication

This example demonstrates basic authentication, which is an alternative to the HTTP authentication used in the previous examples. To use basic authentication, use the -u argument to include a colon-separated user-password pair in the request. You can use anything for the <user> string and the token is the <password>.

curl -k -u "x:CF179AE4-3C99-45F5-A7CC-3284AA91CF67" "https://mysplunkserver.example.com:8088/services/collector/event" \
    -d '{"sourcetype": "mysourcetype", "event": "Hello, world!"}'