
Send data to HTTP Event Collector
You must satisfy all of the following conditions when you send data to HEC:
- HEC must be enabled
- You must have at least one active HEC token available
- You must use an active token to authenticate into HEC
- You must format the data that goes to HEC in a certain way. See Format Events for HTTP Event Collector.
There are several options for sending data to HTTP Event Collector:
- You can make an HTTP request using your favorite HTTP client and send your JSON-encoded events.
- As a developer, you can use the Java, JavaScript (
node.js
), and .NET logging libraries in your application to send data to HEC. These libraries are compatible with popular logging frameworks. See Java, JavaScript (Node.js), and .NET on the Splunk Dev Portal.
Send data to HTTP Event Collector on Splunk Cloud instances
Depending on the type of Splunk Cloud that you use, you must send data using a specific URI for HEC.
The standard form for the HEC URI in e-commerce Splunk Cloud is as follows:
<protocol>://input-<host>:<port>/<endpoint>
The standard form for the HEC URI in managed Splunk Cloud or Splunk Cloud trials is as follows:
<protocol>://http-inputs-<host>:<port>/<endpoint>
Where:
- <protocol> is
https
- <host> is the the Splunk Cloud URL, so for example if your URL is https://mydeployment.splunk.com, the format that you would want for a managed Splunk Cloud instance would look like the following:
https://http-inputs-mydeployment.splunkcloud.com:443 - <port> is the HEC port number
- 8088 on e-commerce Splunk Cloud instances
- 443 on managed Splunk Cloud instances
- <endpoint> is the HEC endpoint you want to use. In many cases, you use the
/services/collector
endpoint for JavaScript Object Notation (JSON)-formatted events or theservices/collector/raw
endpoint for raw events - For e-commerce Splunk Cloud plans, you must pre-pend the hostname with
input-
- For managed Splunk Cloud plans, pre-pend the hostname with
http-inputs-
If you do not include these prefixes before your Splunk Cloud hostname when you send data, the data cannot reach HEC.
Manage HEC events and services with cURL
The following commands show you how you can send events to and manage HEC services. You can use these cURL commands to test your endpoints.
Before running this command in a test environment, disable indexer acknowledgement on the token. This option may have been set when you modified an Event Collector token. When this option is set for the token, the cURL command fails with the following error: "{"text":"Data channel is missing","code":10}". After you have successfully tested the command, be sure to re-enable indexer acknowledgement for the token.
Send an event to HEC
The following example demonstrates basic HEC usage. It includes the Splunk server address with port and endpoint, the authentication token, and event data and metadata formatted according to the HEC event data format specification.
Managed Splunk Cloud
curl -k https://http-inputs-mysplunkserver.splunkcloud.com:443/services/collector/event \ -H "Authorization: Splunk BA696D5E-CA2F-4347-97CB-3C89F834816F" \ -d '{"event": "hello world"} {"text": "Success", "code": 0}
E-commerce Splunk Cloud
curl -k https://input-mysplunkserver.splunk.com:8088/services/collector/event \ -H "Authorization: Splunk B5A89CAD-D842-46CC-80A1-017F83D7CFB2" \ -d '{"event": "hello world"}' {"text": "Success", "code": 0}
Send an event to HEC using basic authentication
This example demonstrates basic authentication, which is an alternative to the HTTP Authentication. To use basic authentication, submit a colon-separated user/password pair in the request as the -u
argument. using any string as the username and the token as the <password>: <user>:<password>
.
# Basic auth curl -k -u "x:CF179AE4-3C99-45F5-A7CC-3284AA91CF67" "https://input-mysplunkserver.splunk.com:8088/services/collector/event" \ -d '{"sourcetype": "mysourcetype", "event": "Hello, world!"}'
Send multiple events to HEC in one request
The following example demonstrates sending multiple events in one request. Though you can send multiple events in a single request, you cannot split one event across multiple requests.
curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Pony 1 has left the barn"}{"event": "Pony 2 has left the barn"}{"event": "Pony 3 has left the barn", "nested": {"key1": "value1"}}'
Send raw text to HEC
The following example demonstrates sending raw text to HEC. Note the use of the raw endpoint, plus the channel identifier and sourcetype specification, both of which are done using URL query parameters.
curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=mydata" -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" -d '1, 2, 3... Hello, world!'
Send raw batched events to HEC
The following example demonstrates how to send raw, batched events to HEC. In this case, the command sends splunkd access logs. It indicates that the indexer should assign these events the sourcetype of splunkd_access
, and specified that they should be sent to the main
index.
# HEC Raw batching curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=splunkd_access&index=main" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.917 -0700] "GET /servicesNS/admin/launcher/data/ui/nav/default HTTP/1.0" 200 4367 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.941 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 4ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.954 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 3ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.968 -0700] "GET /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 HTTP/1.0" 200 58672 - - - 5ms'
Send events to HEC with indexer acknowledgement enabled
The following example demonstrates how to send events to HEC with indexer acknowledgement enabled. Note that the sole difference between this example and the basic example is the inclusion of a channel identifier. Indexer acknowledgement also works with raw data.
# Indexer ack curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "manual"}'
Check HEC indexer acknowledgement status
The following example demonstrates how to check the indexing status of a prior HEC request. It sends the request to the ack
endpoint, and includes the acks
key, which is set to the three acknowledgement identifiers (ackIDs) whose status is queried.
# Check ack status curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector/ack?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"acks": [1,3,4]}'
Extract JSON fields from events sent to HEC
The following example demonstrates how to instruct Splunk Enterprise or Splunk Cloud to extract JSON fields from the events sent to HEC.
# Extracting JSON fields curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"sourcetype": "_json", "event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'
Extract Explicit JSON fields from events sent to HEC
The following example is similar to the previous example, but it explicitly specifies the JSON fields.
# Explicit JSON fields curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector/event" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "cool-fields", "fields": {"device": "macbook", "users": ["joe", "bob"]}}'
PREVIOUS Format events for HTTP Event Collector |
NEXT About HTTP Event Collector Indexer Acknowledgment |
This documentation applies to the following versions of Splunk Cloud™: 7.2.9
Feedback submitted, thanks!