Related Answers
Download topic as PDF
Set up and use HTTP Event Collector from the CLI
You can use the http-event-collector parameter of the Splunk CLI and its options to administer a HTTP Event Collector instance on a Splunk Enterprise server. This topic lists the available HEC options.
For more information about the CLI, see the following:
CLI syntax
There are two syntaxes to use when you administer HEC via the CLI:
- The syntax for all other HEC actions (such as creating, deleting, and showing tokens, and so on)
- The syntax for sending data to HEC
Use the following syntax for all actions except sending data to HEC:
splunk http-event-collector <command> <token-name> [<option2>] [<-parameter1> <value1>] [<-parameter2> <value2>] <data>
All HTTP Event Collector commands (except for send) assume that the first option following the command name is the name of the token. In addition, the create command assumes that the second option is a description of the token in quotation marks.
Use the following syntax for when you want to send data to HEC:
splunk http-event-collector send -uri <uri_value> -name <token-name> <data>
If you want to apply the CLI commands to the global configuration, do not use the -name <token-name> argument. For example, the following enables HTTP Event Collector:
splunk http-event-collector enable -uri <uri_value> <data>
Supported CLI commands
The following HTTP Event Collector-specific CLI commands are supported:
| Command | Description |
|---|---|
| create | Create a new token. |
| delete | Remove a token. |
| list | Show all available tokens. |
| update | Change token properties. |
| enable | Enable a token. |
| disable | Disable a token. |
| help | Show help. |
| send | Send data to an endpoint. |
Supported CLI parameters
HEC supports the following CLI parameters. You must immediately follow a CLI parameter with its value. You must wrap any values that contain spaces in quotation marks.
| Parameter | Description |
|---|---|
| -uri | The Uniform Resource Identifier (URI) of the Splunk server in the form: scheme://host:port. As an alternative to setting this parameter, you can set the $SPLUNK_URI environment variable instead. The port number to use should be the management port of your Splunk server (by default, 8089), and not the HTTP Event Collector port (by default, 8088).
|
| -auth | Splunk server user authentication in the form: username:password. If this parameter is missing, you are prompted for a username and password. |
| -name | The name of the token. |
| -disabled | Whether to disable the token. 1 indicates true; 0 indicates false. |
| -description | A description of the token. |
| -indexes | A list of indexes accepted by the token. |
| -index | The token default index. Splunk Enterprise assigns this value to data that doesn't already have an index value set. |
| -source | The token default source value. Splunk Enterprise assigns this value to data that doesn't already have a source value set. |
| -sourcetype | The token default sourcetype value. Splunk Enterprise assigns this value to data that doesn't already have a sourcetype value set. |
| -outputgroup | The token default outputgroup value. An output group is a group of indexers set up by the Splunk software administrator to index the data. Splunk Enterprise assigns this value to data that doesn't already have an outputgroup value set. |
| -port | The HTTP Event Collector server port. The default value is 8088, but you can change it using this parameter. |
| -enable-ssl | Whether the HTTP Event Collector server protocol is HTTP or HTTPS. 1 indicates HTTPS; 0 indicates HTTP. |
| -dedicated-io-threads | The number of dispatcher threads on the HTTP Event Collector server. The default value is 2. This setting should not be altered unless you have been requested to do so by Splunk Support. The value of this parameter should never be more than the number of physical CPU cores on your Splunk Enterprise server. |
| -output-format | The output format. txt indicates text; json indicates JSON. The default value is txt.
(end table) |
Example CLI syntax
The following example CLI entry creates a token called "new-token," assigns it the given URI, gives it a description (in quotation marks), sets it to disabled, and indicates HTTP Event Collector data should be saved to the "log" index.
splunk http-event-collector create new-token -uri https://localhost:8089 -description "this is a new token" -disabled 1 -index log
The following example CLI entry enables the token called "myapp," assigns it the given URI, and sets the user authentication as shown:
splunk http-event-collector enable -name myapp -uri https://localhost:8089 -auth admin:changeme
The following example CLI entry sends data ("this is some data") to HTTP Event Collector using the given token and URI.
splunk http-event-collector send -uri https://localhost:8089 -token new-token {"this is some data"}
|
PREVIOUS Set up and use HTTP Event Collector with configuration files |
NEXT Use cURL to manage HTTP Event Collector tokens, events, and services |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1
Feedback submitted, thanks!