HTTP Event Collector examples
The HTTP Event Collector (HEC) input has a myriad of use cases. The following examples show how you can use HEC to index streams of data. They also show how you must send data to the HEC input. You can use these examples to model how to send your own data to HEC in either Splunk Cloud Platform or Splunk Enterprise.
The examples on this page use the curl
command. Typically, the example commands use the following arguments:
Argument | Description |
---|---|
-d
|
Use this argument to supply events to HEC. You can send raw text or text in JSON format to HEC. |
-u
|
Use this argument to specify a user. This argument is required when you use basic authentication. |
-H
|
Use this argument to specify a header. You must supply a header to submit events to HEC whether you use HTTP authentication or basic authentication. The header is how you include the HEC token. |
The -k
argument is insecure, so don't use it to check security certificates. Don't use this argument in a production environment or where security is necessary.
There's no requirement to use the curl
command to submit events to HEC. You can use any tool or application that is compatible with the HTTP and REST specifications.
Example 1: Basic example
This example demonstrates basic HEC usage. It includes the Splunk platform instance address, port, and REST endpoint, as well as the authentication token, event data, and metadata. The example is formatted according to the HEC event data format specification.
curl "https://mysplunkserver.example.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "manual"}'
Example 2: Send multiple events to HEC
This example demonstrates how to send multiple events in one request. While you can send multiple events in a single request, you can't split one event across multiple requests.
curl "https://mysplunkserver.example.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Pony 1 has left the barn"}{"event": "Pony 2 has left the barn"}{"event": "Pony 3 has left the barn", "nested": {"key1": "value1"}}'
Example 3: Send raw text to HEC
This example demonstrates sending raw text to HEC. To send raw text, you must use the raw endpoint, plus the channel identifier and source type specification. You submit both of these settings using URL query parameters.
curl "https://mysplunkserver.example.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=mydata" -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" -d '1, 2, 3... Hello, world!'
Example 4: Send multiple raw text events to HEC
This example demonstrates how to send raw, batched events to HEC. In this case, the command sends splunkd access logs. The command indicates that the indexer is to assign these events the source type of splunkd_access
, and specifies that they are to go into the main index.
curl "https://mysplunkserver.example.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=splunkd_access&index=main" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.917 -0700] "GET /servicesNS/admin/launcher/data/ui/nav/default HTTP/1.0" 200 4367 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.941 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 4ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.954 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 3ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.968 -0700] "GET /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 HTTP/1.0" 200 58672 - - - 5ms'
Example 5: Send multiple metrics at once using HEC
This example demonstrates how to send JSON-formatted events with multiple metrics using HEC. See the Get Metrics page in the Splunk Enterprise manual for more information.
{ "time": 1486683865, "event": "metric", "source": "metrics", "sourcetype": "perflog", "host": "host_1.splunk.com", "fields": { "region": "us-west-1", "datacenter": "dc2", "rack": "63", "os": "Ubuntu16.10", "arch": "x64", "team": "LON", "service": "6", "service_version": "0", "service_environment": "test", "path": "/dev/sda1", "fstype": "ext3", "metric_name:cpu.usr": 11.12, "metric_name:cpu.sys": 12.23, "metric_name:cpu.idle": 13.34 } }
Example 6: Indexer acknowledgement of HEC event data
This example demonstrates how to send events to HEC with indexer acknowledgement of incoming HEC data. The difference between this example and the basic example is the inclusion of a channel identifier. Indexer acknowledgement also works with raw data.
curl "https://mysplunkserver.example.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "manual"}'
Example 7: Check indexer acknowledgement status
This example demonstrates how to check the indexing status of a previous HEC request. The command sends the request to the ack REST endpoint, and includes the acks
key, which you set to be equal to the three acknowledgement identifiers whose status you want to see.
curl "https://mysplunkserver.example.com:8088/services/collector/ack?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"acks": [1,3,4]}'
Example 8: Extract JSON fields
This example demonstrates how to instruct the Splunk platform to extract JSON fields from the events you send to HEC.
curl "https://mysplunkserver.example.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"sourcetype": "_json", "event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'
Example 9: Explicit JSON fields
This example is similar to the previous example, but it explicitly specifies the JSON fields.
curl "https://mysplunkserver.example.com:8088/services/collector/event" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d '{"event": "Hello, world!", "sourcetype": "cool-fields", "fields": {"device": "macbook", "users": ["joe", "bob"]}}'
Example 10: Basic authentication
This example demonstrates basic authentication, which is an alternative to the HTTP authentication used in the previous examples. To use basic authentication, use the -u
argument to include a colon-separated user-password pair in the request. You can use anything for the <user>
string and the token is the <password>
.
curl -u "x:CF179AE4-3C99-45F5-A7CC-3284AA91CF67" "https://mysplunkserver.example.com:8088/services/collector/event" \ -d '{"sourcetype": "mysourcetype", "event": "Hello, world!"}'
HTTP Event Collector REST API endpoints | Troubleshoot HTTP Event Collector |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!