Splunk® Enterprise

Getting Data In

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Set up and use HTTP Event Collector from the CLI

You can use the http-event-collector parameter of the Splunk command line interface (CLI) and its options to administer an HTTP Event Collector (HEC) instance on a Splunk Enterprise server.

It's not possible to use HEC on a Splunk Cloud Platform instance from the CLI. If you have a Splunk Cloud Platform instance, log into the instance and manage HEC from Splunk Web instead.

For more information about the CLI, see the following topics in the Splunk Enterprise Admin Manual:

CLI syntax

There are two syntaxes to use when you administer HEC through the CLI:

  • The syntax for all other HEC actions, such as creating, deleting, and showing tokens
  • The syntax for sending data to HEC

Use the following syntax for all actions except sending data to HEC: 

splunk http-event-collector <command> <token-name> [<option2>] [<-parameter1> <value1>] [<-parameter2> <value2>] <data>

All HTTP Event Collector commands except for send assume that the first option following the command name is the name of the token. In addition, the create command assumes that the second option is a description of the token in quotation marks.

Use the following syntax to send data to the HEC: 

splunk http-event-collector send -uri <uri_value> -name <token-name> <data>

If you want to apply the CLI commands to the global configuration, don't include the -name <token-name> argument. For example, the following syntax enables HTTP Event Collector: 

splunk http-event-collector enable -uri <uri_value> <data>

Supported CLI commands

The following HTTP Event Collector-specific CLI commands are supported in Splunk Enterprise:

Command Description
create Create a new token.
delete Remove a token.
list Show all available tokens.
update Change token properties.
enable Enable a token.
disable Disable a token.
help Show help.
send Send data to an endpoint.

Supported CLI parameters

HEC supports the following CLI parameters. You must immediately follow a CLI parameter with its value. Enclose any values that contain spaces in quotation marks.

Parameter Description
-uri The Uniform Resource Identifier (URI) of the Splunk server that takes the form scheme://host:port. As an alternative to setting this parameter, you can set the $SPLUNK_URI environment variable instead. The port number to use must be the management port of your Splunk server (8089by default), and not the HTTP Event Collector port (8088by default).
-auth Splunk server user authentication in the form username:password. If this parameter is missing, you are prompted for a username and password.
-name The name of the token.
-disabled Whether to disable the token. 1 indicates true and 0 indicates false. You must also update this setting in the global stanza for proper functionality.
-description A description of the token.
-indexes A list of indexes accepted by the token.
-index The token default index. Splunk Enterprise assigns this value to data that doesn't already have an index value set.
-source The token default source value. Splunk Enterprise assigns this value to data that doesn't already have a source value set.
-sourcetype The token default sourcetype value. Splunk Enterprise assigns this value to data that doesn't already have a sourcetype value set.
-outputgroup The token default output group value. An output group is a group of indexers set up by the Splunk software administrator to index the data. Splunk Enterprise assigns this value to data that doesn't already have an output group value set.
-port The HTTP Event Collector server port. The default value is 8088, but you can change it using this parameter.
-enable-ssl Whether the HTTP Event Collector server protocol is HTTP or HTTPS. 1 indicates HTTPS and 0 indicates HTTP.
-dedicated-io-threads The number of dispatcher threads on the HTTP Event Collector server. The default value is 2. Do not alter this setting unless you have been requested to do so by Splunk Support. The value of this parameter can't be more than the number of physical CPU cores on your Splunk Enterprise server.
-output-format The output format. txt indicates text and json indicates JSON. The default value is txt.

Example CLI syntax

The following example CLI entry creates a token called new-token, assigns it the given URI, gives it a description, sets it to disabled, and indicates that the HTTP Event Collector data is to be saved to the log index. 

splunk http-event-collector create new-token -uri https://localhost:8089 -description "this is a new token" -disabled 1 -index log

The following example CLI entry enables a token called myapp, assigns it the given URI, and sets the user authentication: 

splunk http-event-collector enable -name myapp -uri https://localhost:8089 -auth admin:changeme

The following example CLI entry sends data to HTTP Event Collector using the given token and URI. 

splunk http-event-collector send -uri https://localhost:8089 -token new-token {"this is the data to send"}
Last modified on 23 June, 2022
Set up and use HTTP Event Collector with configuration files   Use cURL to manage HTTP Event Collector tokens, events, and services

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters