HTTP Event Collector(HEC) in Splunk

Configuring  HTTP Event Collector to receive data into Splunk

This post focuses on introducing/explaining  and implementing HEC in the most simple way.  

For those who are wondering what & why HTTP Event collector:

The HTTP Event Collector also sometimes abbreviated as “HEC” is an efficient way to send data to Splunk Instances,It enables you to send data over HTTP (or HTTPS) directly to Splunk Instances from your application.The HEC was created and introduced with application developers in mind, empowering the developers to send data to splunk by adding a few lines of code to an app for the app to send data.

More on this, HEC is based on Token, so you don’t have to hard-code your Splunk credentials in your app or supporting files. HTTP Event Collector(HEC) provides a reliable method to developers to send application logging and metrics data straight to Splunk Instances via HTTP in a fast,convenient,efficient and secure manner.

Now that you have known the purpose of HTTP Event Collector(HEC), we can start configuring it to receive data.

Step i)  On your splunk Navigate to :

Settings >> Data Inputs >> HTTP Event Collector

In the top right corner locate and click on the button “Global Settings”.

Global_Settings

Now,

a) Change All Tokens to “Enabled”.

b) Select a Default source Type. (Optional)

c) Select a Default Index. ( we are using index “main” here)

d) Select a Default Output Group. (If you have one)

e) Check or uncheck the  “Use Deployment Server” option. (depending on your        requirement)

f) Check or Uncheck “Enable SSL” depending on whether you want to send data over SSL/HTTPS or not.

g) Change HTTP Port Number. (Optional).

h) Save your settings.

Step ii)  Go to the Top Right Corner again and select New Token.

New_Token

a) Give your HTTP Token a suitable name.

b) Enter any value in the “Source name override” only if you want the data coming from any source through this token to be overridden by this value. (optional)

c) Give a suitable Description to your token. (optional)

d) Select output group for this token.(optional) 

e) Click Next

Step iii)  Select or create source type. (default – Automatic)

Step iv)  Review your HTTP Event Collector (HEC) Token

Token

Step v)  Click on submit

token

 

Step vi )  Copy the Token Value ( needed to specify token while sending data )

CONGRATS!! You have created your first HTTP Event Collector Token.

But, before you distribute any of your tokens to index data directly to your Splunk, you must test it.

Some of you may YELL!!  HOW !!

But its pretty simple, you can use CURL, a command line tool and library for transferring data with URLs.

You can download CURL  from here,

https://curl.haxx.se/download.html

Select and download the right CURL package for your System.

Once done,

Open Command Prompt/Terminal on your system.

Navigate to the location $CURL_HOME / bin on linux or  $CURL_HOME \bin on windows.

NOTE:  $CURL_HOME is the path to your curl folder/directory. And try this example :

Linux:

curl -k  http://your_host_name:8088/services/collector/event -H ‘Authorization: Splunk <Token value>‘ -d ‘{“event”: “This text will be indexed into splunk!”}’

Windows:

curl -k  http://your_host_name:8088/services/collector/event -H “Authorization: Splunk <Token value>” -d “{\”event\”: \”This text will be indexed into splunk!\”}”

VOILA!!!HTTP_Event

You have successfully indexed your data via HTTP Event collector in SPLUNK.

Happy Splunking!!

Advertisements

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.