Configuring HTTP Event Collector to receive data into Splunk
This post focuses on introducing/explaining and implementing HEC in the most simple way.
For those who are wondering what & why HTTP Event collector:
The HTTP Event Collector also sometimes abbreviated as “HEC” is an efficient way to send data to Splunk Instances,It enables you to send data over HTTP (or HTTPS) directly to Splunk Instances from your application.The HEC was created and introduced with application developers in mind, empowering the developers to send data to splunk by adding a few lines of code to an app for the app to send data.
More on this, HEC is based on Token, so you don’t have to hard-code your Splunk credentials in your app or supporting files. HTTP Event Collector(HEC) provides a reliable method to developers to send application logging and metrics data straight to Splunk Instances via HTTP in a fast,convenient,efficient and secure manner.
Now that you have known the purpose of HTTP Event Collector(HEC), we can start configuring it to receive data.
Step i) On your splunk Navigate to :
Settings >> Data Inputs >> HTTP Event Collector
In the top right corner locate and click on the button “Global Settings”.
Now,
a) Change All Tokens to “Enabled”.
b) Select a Default source Type. (Optional)
c) Select a Default Index. ( we are using index “main” here)
d) Select a Default Output Group. (If you have one)
e) Check or uncheck the “Use Deployment Server” option. (depending on your requirement)
f) Check or Uncheck “Enable SSL” depending on whether you want to send data over SSL/HTTPS or not.
g) Change HTTP Port Number. (Optional).
h) Save your settings.
Step ii) Go to the Top Right Corner again and select New Token.
a) Give your HTTP Token a suitable name.
b) Enter any value in the “Source name override” only if you want the data coming from any source through this token to be overridden by this value. (optional)
c) Give a suitable Description to your token. (optional)
d) Select output group for this token.(optional)
e) Click Next
Step iii) Select or create source type. (default – Automatic)
Step iv) Review your HTTP Event Collector (HEC) Token
Step v) Click on submit
Step vi ) Copy the Token Value ( needed to specify token while sending data )
CONGRATS!! You have created your first HTTP Event Collector Token.
But, before you distribute any of your tokens to index data directly to your Splunk, you must test it.
Some of you may YELL!! HOW !!
But its pretty simple, you can use CURL, a command line tool and library for transferring data with URLs.
You can download CURL from here,
https://curl.haxx.se/download.html
Select and download the right CURL package for your System.
Once done,
Open Command Prompt/Terminal on your system.
Navigate to the location $CURL_HOME / bin on linux or $CURL_HOME \bin on windows.
NOTE: $CURL_HOME is the path to your curl folder/directory. And try this example :
Linux:
curl -k http://your_host_name:8088/services/collector/event -H ‘Authorization: Splunk <Token value>‘ -d ‘{“event”: “This text will be indexed into splunk!”}’
Windows:
curl -k http://your_host_name:8088/services/collector/event -H “Authorization: Splunk <Token value>” -d “{\”event\”: \”This text will be indexed into splunk!\”}”
VOILA!!!
You have successfully indexed your data via HTTP Event collector in SPLUNK.
Happy Splunking!!
[…] HTTP event collector (HEC)(want to know more about HEC. click here!) […]
[…] 3. After reviewing the settings click on Next. Now one HEC token will be generated. Click on the link to know more about HEC. […]