Related Answers
Download topic as PDF
Set up and use HTTP Event Collector from the CLI
You can use the http-event-collector parameter of the Splunk command line interface (CLI) and its options to administer an HTTP Event Collector (HEC) instance on a Splunk Enterprise server.
It's not possible to use HEC on a Splunk Cloud Platform instance from the CLI. If you have a Splunk Cloud Platform instance, log into the instance and manage HEC from Splunk Web instead.
For more information about the CLI, see the following topics in the Splunk Enterprise Admin Manual:
CLI syntax
There are two syntaxes to use when you administer HEC through the CLI:
- The syntax for all other HEC actions, such as creating, deleting, and showing tokens
- The syntax for sending data to HEC
Use the following syntax for all actions except sending data to HEC:
splunk http-event-collector <command> <token-name> [<option2>] [<-parameter1> <value1>] [<-parameter2> <value2>] <data>
All HTTP Event Collector commands except for send assume that the first option following the command name is the name of the token. In addition, the create command assumes that the second option is a description of the token in quotation marks.
Use the following syntax to send data to the HEC:
splunk http-event-collector send -uri <uri_value> -name <token-name> <data>
If you want to apply the CLI commands to the global configuration, don't include the -name <token-name> argument. For example, the following syntax enables HTTP Event Collector:
splunk http-event-collector enable -uri <uri_value> <data>
Supported CLI commands
The following HTTP Event Collector-specific CLI commands are supported in Splunk Enterprise:
| Command | Description |
|---|---|
create
|
Create a new token. |
delete
|
Remove a token. |
list
|
Show all available tokens. |
update
|
Change token properties. |
enable
|
Enable a token. |
disable
|
Disable a token. |
help
|
Show help. |
send
|
Send data to an endpoint. |
Supported CLI parameters
HEC supports the following CLI parameters. You must immediately follow a CLI parameter with its value. Enclose any values that contain spaces in quotation marks.
| Parameter | Description |
|---|---|
-uri
|
The Uniform Resource Identifier (URI) of the Splunk server that takes the form scheme://host:port. As an alternative to setting this parameter, you can set the $SPLUNK_URI environment variable instead. The port number to use must be the management port of your Splunk server (8089by default), and not the HTTP Event Collector port (8088by default).
|
-auth
|
Splunk server user authentication in the form username:password. If this parameter is missing, you are prompted for a username and password. |
-name
|
The name of the token. |
-disabled
|
Whether to disable the token. 1 indicates true and 0 indicates false. You must also update this setting in the global stanza for proper functionality.
|
-description
|
A description of the token. |
-indexes
|
A list of indexes accepted by the token. |
-index
|
The token default index. Splunk Enterprise assigns this value to data that doesn't already have an index value set. |
-source
|
The token default source value. Splunk Enterprise assigns this value to data that doesn't already have a source value set. |
-sourcetype
|
The token default sourcetype value. Splunk Enterprise assigns this value to data that doesn't already have a sourcetype value set. |
-outputgroup
|
The token default output group value. An output group is a group of indexers set up by the Splunk software administrator to index the data. Splunk Enterprise assigns this value to data that doesn't already have an output group value set. |
| -port | The HTTP Event Collector server port. The default value is 8088, but you can change it using this parameter.
|
| -enable-ssl | Whether the HTTP Event Collector server protocol is HTTP or HTTPS. 1 indicates HTTPS and 0 indicates HTTP.
|
| -dedicated-io-threads | The number of dispatcher threads on the HTTP Event Collector server. The default value is 2. Do not alter this setting unless you have been requested to do so by Splunk Support. The value of this parameter can't be more than the number of physical CPU cores on your Splunk Enterprise server.
|
| -output-format | The output format. txt indicates text and json indicates JSON. The default value is txt.
|
Example CLI syntax
The following example CLI entry creates a token called new-token, assigns it the given URI, gives it a description, sets it to disabled, and indicates that the HTTP Event Collector data is to be saved to the log index.
splunk http-event-collector create new-token -uri https://localhost:8089 -description "this is a new token" -disabled 1 -index log
The following example CLI entry enables a token called myapp, assigns it the given URI, and sets the user authentication:
splunk http-event-collector enable -name myapp -uri https://localhost:8089 -auth admin:changeme
The following example CLI entry sends data to HTTP Event Collector using the given token and URI.
splunk http-event-collector send -uri https://localhost:8089 -token new-token {"this is the data to send"}
|
PREVIOUS Set up and use HTTP Event Collector with configuration files |
NEXT Use cURL to manage HTTP Event Collector tokens, events, and services |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.1, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 8.0.0, 8.0.10, 8.0.2
Feedback submitted, thanks!