Splunk Cloud

Getting Data In

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Send data to HTTP Event Collector

You must satisfy all of the following conditions when you send data to HEC:

  • HEC must be enabled
  • You must have at least one active HEC token available
  • You must use an active token to authenticate into HEC
  • You must format the data that goes to HEC in a certain way. See Format Events for HTTP Event Collector.

There are several options for sending data to HTTP Event Collector:

  • You can make an HTTP request using your favorite HTTP client and send your JSON-encoded events.
  • As a developer, you can use the Java, JavaScript (node.js), and .NET logging libraries in your application to send data to HEC. These libraries are compatible with popular logging frameworks. See Java, JavaScript (Node.js), and .NET on the Splunk Dev Portal.

Send data to HTTP Event Collector on Splunk Cloud instances

Depending on the type of Splunk Cloud that you use, you must send data using a specific URI for HEC.

The standard form for the HEC URI in e-commerce Splunk Cloud is as follows: 

<protocol>://input-<host>:<port>/<endpoint>

The standard form for the HEC URI in managed Splunk Cloud or Splunk Cloud trials is as follows: 

<protocol>://http-inputs-<host>:<port>/<endpoint>

Where:

  • <protocol> is https
  • <host> is the the Splunk Cloud URL, so for example if your URL is https://mydeployment.splunk.com, the format that you would want for a managed Splunk Cloud instance would look like the following:
    https://http-inputs-mydeployment.splunkcloud.com:443
  • <port> is the HEC port number
    • 8088 on e-commerce Splunk Cloud instances
    • 443 on managed Splunk Cloud instances
  • <endpoint> is the HEC endpoint you want to use. In many cases, you use the /services/collector endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw events
  • For e-commerce Splunk Cloud plans, you must pre-pend the hostname with input-
  • For managed Splunk Cloud plans, pre-pend the hostname with http-inputs-

If you do not include these prefixes before your Splunk Cloud hostname when you send data, the data cannot reach HEC.

Manage HEC events and services with cURL

The following commands show you how you can send events to and manage HEC services. You can use these cURL commands to test your endpoints.

Before running this command in a test environment, disable indexer acknowledgement on the token. This option may have been set when you modified an Event Collector token. When this option is set for the token, the cURL command fails with the following error: "{"text":"Data channel is missing","code":10}". After you have successfully tested the command, be sure to re-enable indexer acknowledgement for the token.

Send an event to HEC

The following example demonstrates basic HEC usage. It includes the Splunk server address with port and endpoint, the authentication token, and event data and metadata formatted according to the HEC event data format specification.

Managed Splunk Cloud

curl -k https://http-inputs-mysplunkserver.splunkcloud.com:443/services/collector/event \
-H "Authorization: Splunk BA696D5E-CA2F-4347-97CB-3C89F834816F" \
-d '{"event": "hello world"}

{"text": "Success", "code": 0}

E-commerce Splunk Cloud

curl -k  https://input-mysplunkserver.splunk.com:8088/services/collector/event \
-H "Authorization: Splunk B5A89CAD-D842-46CC-80A1-017F83D7CFB2" \
-d '{"event": "hello world"}'

{"text": "Success", "code": 0}

Send an event to HEC using basic authentication

This example demonstrates basic authentication, which is an alternative to the HTTP Authentication. To use basic authentication, submit a colon-separated user/password pair in the request as the -u argument. using any string as the username and the token as the <password>: <user>:<password>. 

# Basic auth
curl -k -u "x:CF179AE4-3C99-45F5-A7CC-3284AA91CF67" "https://input-mysplunkserver.splunk.com:8088/services/collector/event" \
    -d '{"sourcetype": "mysourcetype", "event": "Hello, world!"}'

Send multiple events to HEC in one request

The following example demonstrates sending multiple events in one request. Though you can send multiple events in a single request, you cannot split one event across multiple requests. 

curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"event": "Pony 1 has left the barn"}{"event": "Pony 2 has left the barn"}{"event": "Pony 3 has left the barn", "nested": {"key1": "value1"}}'

Send raw text to HEC

The following example demonstrates sending raw text to HEC. Note the use of the raw endpoint, plus the channel identifier and sourcetype specification, both of which are done using URL query parameters. 

curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=mydata" -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" -d '1, 2, 3... Hello, world!'

Send raw batched events to HEC

The following example demonstrates how to send raw, batched events to HEC. In this case, the command sends splunkd access logs. It indicates that the indexer should assign these events the sourcetype of splunkd_access, and specified that they should be sent to the main index. 

# HEC Raw batching
curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=splunkd_access&index=main" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.917 -0700] "GET /servicesNS/admin/launcher/data/ui/nav/default HTTP/1.0" 200 4367 - - - 6ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.941 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 4ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.954 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 3ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.968 -0700] "GET /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 HTTP/1.0" 200 58672 - - - 5ms'

Send events to HEC with indexer acknowledgement enabled

The following example demonstrates how to send events to HEC with indexer acknowledgement enabled. Note that the sole difference between this example and the basic example is the inclusion of a channel identifier. Indexer acknowledgement also works with raw data. 

# Indexer ack
curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"event": "Hello, world!", "sourcetype": "manual"}'

Check HEC indexer acknowledgement status

The following example demonstrates how to check the indexing status of a prior HEC request. It sends the request to the ack endpoint, and includes the acks key, which is set to the three acknowledgement identifiers (ackIDs) whose status is queried. 

# Check ack status
curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector/ack?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"acks": [1,3,4]}'

Extract JSON fields from events sent to HEC

The following example demonstrates how to instruct Splunk Enterprise or Splunk Cloud to extract JSON fields from the events sent to HEC. 

# Extracting JSON fields
curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"sourcetype": "_json", "event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'

Extract Explicit JSON fields from events sent to HEC

The following example is similar to the previous example, but it explicitly specifies the JSON fields. 

# Explicit JSON fields
curl -k "https://input-mysplunkserver.splunk.com:8088/services/collector/event" \
    -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
    -d '{"event": "Hello, world!", "sourcetype": "cool-fields", "fields": {"device": "macbook", "users": ["joe", "bob"]}}'
Last modified on 07 December, 2020
PREVIOUS
Format events for HTTP Event Collector 		  NEXT
About HTTP Event Collector Indexer Acknowledgment

This documentation applies to the following versions of Splunk Cloud: 7.2.9

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters