Splunk Cloud

Getting Data In

Download manual as PDF

Download topic as PDF

Set up and use HTTP Event Collector in Splunk Web

The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format. This process eliminates the need for a Splunk forwarder when you send application events.

After you enable HEC, you can use HEC tokens in your app to send data to HEC. You do not need to include Splunk credentials in your app or supported files.

HEC functionality varies based on Splunk software type

HTTP Event Collector runs on both self-service and managed Splunk Cloud. If you are unsure what Splunk Cloud deployment you have, see types of Splunk Cloud deployment.

HEC and self-service Splunk Cloud

HEC offers similar functionality on self-service Splunk Cloud instances as it does on Splunk Enterprise. The following exceptions apply:

  • You cannot make changes to configuration files, because Splunk Cloud does not provide that access.
  • You cannot change the network port that HEC listens on for connections.
  • You cannot forward data that HEC receives to another set of Splunk indexers as Splunk Cloud does not support forwarding output groups.

For instructions on how to enable and manage HEC on self-service Splunk Cloud, see Configure HTTP Event Collector on self-service Splunk Cloud.

HEC and managed Splunk Cloud

HEC offers an experience on Splunk Cloud deployments that Splunk manages that is similar to the experience on self-service Splunk Cloud. The following exceptions apply:

  • You cannot make changes to configuration files, because Splunk Cloud does not provide that access.
  • You must file a ticket with Splunk Support to enable HEC.
  • You cannot make changes to global settings. You can only make settings changes to tokens that you create.
  • You cannot forward data that HEC receives to another set of Splunk indexers as Splunk Cloud does not support forwarding output groups.
  • The index that you choose to store events that HEC receives must already exist. You cannot create a new index during the setup process.
  • After you create tokens, you can monitor progress of the token as it is deployed across your managed Splunk Cloud instance.

For instructions on how to enable and manage HEC on managed Splunk Cloud, see Configure HTTP Event Collector on managed Splunk Cloud.

About Event Collector tokens

Tokens are entities that let logging agents and HTTP clients connect to the HEC input. Each token has a unique value, which is a 32-bit number that agents and clients use to authenticate their connections to HEC. When the clients connect, they present this token value. If HEC receives a valid token, it accepts the connection and the client can deliver its payload of application events in either text or JavaScript Object Notation (JSON) format.

HEC receives the events and Splunk Cloud indexes them based on the configuration of the token. HEC uses the source, source type, and index that was specified in the token. If a forwarding output group configuration exists on a Splunk Enterprise instance, HEC forwards the data to indexers in that output group.

Configure HTTP Event Collector on self-service Splunk Cloud

Enable HTTP Event Collector

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. Click Global Settings.
    66C HTTPEC GlobalSettings.png
  4. In the All Tokens toggle button, select Enabled.
  5. (Optional) Choose a Default Source Type for all HEC tokens. You can also type in the name of the source type in the text field above the drop-down before choosing the source type.
  6. (Optional) Choose a Default Index for all HEC tokens.
  7. Click Save.

Create an Event Collector token

To use HEC, you must configure at least one token.

  1. Click Settings > Add Data.
  2. Click monitor.
  3. Click HTTP Event Collector.
  4. In the Name field, enter a name for the token.
  5. (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
  6. (Optional) In the Description field, enter a description for the input.
  7. (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
  8. Click Next.
  9. (Optional) Make edits to source type and confirm the index where you want HEC events to be stored. See Modify input settings.
  10. Click Review.
  11. Confirm that all settings for the endpoint are what you want.
  12. If all settings are what you want, click Submit. Otherwise, click < to make changes.
  13. (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.

For information about HEC tokens, see About Event Collector tokens.

For information on indexer acknowledgement, see HTTP Event Collector indexer acknowledgment. Indexer acknowledgment in HTTP Event Collector is not the same indexer acknowledgment capability described in indexer acknowledgment and indexer clusters.

Modify an Event Collector token

66C HTTPEC EditToken.png

You can make changes to an HEC token after you have created it.

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. Locate the token that you want to change in the list.
  4. In the Actions column for that token, click Edit. You can also click the link to the token name.
  5. (Optional) Edit the description of the token by entering updated text in the Description field.
  6. (Optional) Update the source value of the token by entering text in the Source field.
  7. (Optional) Choose a different source type by selecting it in the Source Type drop-down.
    1. Choose a category.
    2. Select a source type in the pop-up menu that appears.
    3. (Optional) You can also type in the name of the source type in the text box at the top of the drop-down.

    63 HTTPEC EditToken ST.png

  8. (Optional) Choose a different index by selecting it in the Available Indexes pane of the Select Allowed Indexes control.
  9. (Optional) Choose whether you want indexer acknowledgment enabled for the token.
  10. Click Save.

Delete an Event Collector token

You can delete an HEC token. Deleting an HEC token does not affect other HEC tokens, nor does it disable the HEC endpoint.

You cannot undo this action. Clients that use this token to send data to your Splunk deployment can no longer authenticate with the token. You must generate a new token and change the client configuration to use the token.

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. Locate the token that you want to delete in the list.
  4. In the Actions column for that token, click Delete.
  5. In the Delete Token dialog, click Delete.

Enable and disable Event Collector tokens

You can enable or disable an HEC token from within the HEC management page. Changing the status of one token does not change the status of other tokens. To enable or disable all tokens, use the Global Settings dialog. See Enable the HTTP Event Collector.

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. In the Actions column for that token, click the Enable link, if the token is not active, or the Disable link, if the token is active. The token status toggles and the link changes to Enable or Disable based on the changed token status.

Configure HTTP Event Collector on managed Splunk Cloud

Create an Event Collector token

To use HEC, you must configure at least one token. In managed Splunk Cloud instances, the token is distributed across the deployment. The token is not ready for use until distribution has completed.

  1. Click Settings > Add Data.
  2. Click monitor.
  3. Click HTTP Event Collector.
  4. In the Name field, enter a name for the token.
  5. (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
  6. (Optional) In the Description field, enter a description for the input.
  7. (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
  8. Click Next.
  9. (Optional) Make edits to source type and confirm the index where you want HEC events to be stored. See Modify input settings.
  10. Click Review.
  11. Confirm that all settings for the endpoint are what you want.
  12. If all settings are what you want, click Submit. Otherwise, click < to make changes.
  13. (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.
  14. (Optional) Click Track deployment progress to see progress on how the token has been deployed to the rest of the Splunk Cloud deployment. When you see a status of "Done", you can then use the token to send data to HEC.

For information about HEC tokens, see About Event Collector tokens.

For information on indexer acknowledgement, see Enable indexer acknowledgement. Indexer acknowledgement in HTTP Event Collector is not the same indexer acknowledgement capability in Splunk Cloud.

Check Event Collector token distribution status

66M HTTPEC DeployStatus.png

You can check the distribution status of an HEC token from the HEC token page. When a distribution is in progress, the page displays "Operation in progress" and a progress bar. Otherwise, the page displays "Last deployment status."

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. Click Operation in progress or Last deployment status.
  4. View the status of the token distribution.
  5. Click Close.

Modify an Event Collector token

You can make changes to an HEC token after it has been created.

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. Locate the token that you want to change in the list.
  4. In the Actions column for that token, click Edit. You can also click the link to the token name.
  5. (Optional) Edit the description of the token by entering updated text in the Description field.
  6. (Optional) Update the source value of the token by entering text in the Source field.
  7. (Optional) Choose a different source type by selecting it in the Source Type drop-down.
    1. Choose a category.
    2. Select a source type in the pop-up menu that appears.
    3. (Optional) You can also type in the name of the source type in the text box at the top of the drop-down.
  8. (Optional) Choose a different index by selecting it in the Available Indexes pane of the Select Allowed Indexes control.
  9. (Optional) Choose whether you want indexer acknowledgment enabled for the token.
  10. Click Save.

Delete an Event Collector token

You can delete an HEC token. Deleting an HEC token does not affect other HEC tokens, nor does it disable the HEC endpoint.

You cannot undo this action. Clients that use this token to send data to your Splunk deployment can no longer authenticate with the token. You must generate a new token and change the client configuration to use the new value.

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. Locate the token that you want to delete in the list.
  4. In the Actions column for that token, click Delete.
  5. In the Delete Token dialog, click Delete.

Enable and disable Event Collector tokens

You can enable or disable a token from within the HEC management page. Changing the active status of one token does not change the status of other tokens.

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. In the Actions column for a token, click the Enable link, if the token is not active, or the Disable link, if the token is active. The token status toggles and the link changes to Enable or Disable based on the changed token status.
PREVIOUS
Monitoring Windows data with Splunk Enterprise
  NEXT
Format events for HTTP Event Collector

This documentation applies to the following versions of Splunk Cloud: 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters