|
|
Product Overview
Click
Settings > Add Data
.
Click
monitor
.
Click
HTTP Event Collector
.
In the
Name
field, enter a name for the token.
(Optional) In the
Source name override
field, enter a name for a source to be assigned to events that this endpoint generates.
(Optional) In the
Description
field, enter a description for the input.
(Optional) If you want to enable indexer acknowledgment for this token, click the
Enable indexer acknowledgment
checkbox.
Click
Next
.
(Optional) Make edits to source type and confirm the index where you want HEC events to be stored. See
Modify input settings
.
Click
Review
.
Confirm that all settings for the endpoint are what you want.
If all settings are what you want, click
Submit
. Otherwise, click
<
to make changes.
(Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.
(Optional) Click
Track deployment progress
to see progress on how the token has been deployed to the rest of the Splunk Cloud Platform deployment. When you see a status of "Done", you can then use the token to send data to HEC.
Click
Settings
>
Data Inputs
.
Click
HTTP Event Collector
.
Locate the token that you want to change in the list.
In the
Actions
column for that token, click
Edit
. You can also click the link to the token name.
(Optional) Edit the description of the token by entering updated text in the
Description
field.
(Optional) Update the source value of the token by entering text in the
Source
field.
(Optional) Choose a different source type by selecting it in the
Source Type
drop-down list box.
Choose a category.
Select a source type in the pop-up menu that appears.
(Optional) You can also type in the name of the source type in the text box at the top of the drop-down list box.
(Optional) Choose a different index by selecting it in the
Available Indexes
pane of the
Select Allowed Indexes
control.
(Optional) Choose whether you want indexer acknowledgment enabled for the token.
Click
Save
.
Click
Settings > Data Inputs
.
Click
HTTP Event Collector
.
Click
Global Settings
.
In the
All Tokens
toggle button, select
Enabled
.
(Optional) Choose a
Default Source Type
for all HEC tokens. You can also type in the name of the source type in the text field above the drop-down list box before choosing the source type.
(Optional) Choose a
Default Index
for all HEC tokens.
(Optional) Choose a
Default Output Group
for all HEC tokens.
(Optional) To use a deployment server to handle configurations for HEC tokens, click the
Use Deployment Server
check box.
(Optional) To have HEC listen and communicate over HTTPS rather than HTTP, click the
Enable SSL
checkbox.
(Optional) Enter a number in the
HTTP Port Number
field for HEC to listen on.
Click
Save
.
Click
Settings > Add Data
.
Click
monitor
.
Click
HTTP Event Collector
.
In the
Name
field, enter a name for the token.
(Optional) In the
Source name override
field, enter a source name for events that this input generates.
(Optional) In the
Description
field, enter a description for the input.
(Optional) In the
Output Group
field, select an existing forwarder output group.
(Optional) If you want to enable indexer acknowledgment for this token, click the
Enable indexer acknowledgment
checkbox.
Click
Next
.
(Optional) Confirm the source type and the index for HEC events.
Click
Review
.
Confirm that all settings for the endpoint are what you want.
If all settings are what you want, click
Submit
. Otherwise, click
<
to make changes.
(Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.
Click
Settings
>
Data Inputs
.
Click
HTTP Event Collector
.
Locate the token that you want to change in the list.
In the
Actions
column for that token, click
Edit
. You can also click the link to the token name.
(Optional) Edit the description of the token by entering updated text in the
Description
field.
(Optional) Update the source value of the token by entering text in the
Source
field.
(Optional) Choose a different source type by selecting it in the
Source Type
drop-down list box.
A data platform built for expansive data access, powerful analytics and automation
Learn more
Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the
Splunk Enterprise
page on help.splunk.com and the
Splunk Enterprise 9.4.3 release notes
. For information about how version selection works in the new portal, see
Version selection
on the About This Site page.
Set up and use HTTP Event Collector in Splunk Web
The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format. This process eliminates the need for a Splunk forwarder when you send application events.
After you enable HEC, you can use HEC tokens in your app to send data to HEC. You do not need to include Splunk credentials in your app or supported files to access the Splunk platform instance.
HEC functionality varies based on Splunk software type
HTTP Event Collector runs on Splunk Cloud Platform and Splunk Enterprise. How it works depends on the type of Splunk platform instance you have.
HEC and Splunk Cloud Platform
You can enable HEC on a Splunk Cloud Platform deployment. The following caveats apply to using HEC on a Splunk Cloud Platform instance:
- If you need to use a configuration file to configure an HEC input, you must do this on a heavy forwarder, then forward the data to Splunk Cloud Platform. This is because Splunk Cloud Platform does not provide access to configuration files locally.
- You must file a ticket with Splunk Support to enable HEC for use with Amazon Web Services (AWS) Kinesis Firehose. Standard HEC is enabled by default on all Splunk Cloud Platform deployments and does not require a Splunk Support ticket.
- You cannot make changes to global settings. You can only make settings changes to tokens that you create.
- You cannot forward data that HEC receives to another set of Splunk indexers as Splunk Cloud Platform does not support forwarding output groups.
- The index that you choose to store events that HEC receives must already exist. You cannot create a new index during the setup process.
- Indexer acknowledgment is only available for AWS Kinesis Firehose at this time.
- After you create tokens, you can monitor progress of the token as it is deployed across your Splunk Cloud Platform instance.
For instructions on how to enable and manage HEC on Splunk Cloud Platform, see Configure HTTP Event Collector on Splunk Cloud .
HEC and Splunk Enterprise
HEC offers full configurability and functionality on the Splunk Enterprise platform on-premises. It offers the following additional benefits over HEC on Splunk Cloud Platform:
- HEC can accept events that you send to it over the HTTP protocol in addition to the HTTPS protocol.
- HEC can forward events to another Splunk indexer with an optional forwarding output group .
- You can use the deployment server to distribute HEC tokens across indexers in a distributed deployment.
For instructions on how to enable and manage HEC on Splunk Enterprise, see Configure HTTP Event Collector on Splunk Enterprise .
How the Splunk platform uses HTTP Event Collector tokens to get data in
Tokens are entities that let logging agents and HTTP clients connect to the HEC input. Each token has a unique value, which is a 128-bit number that is represented as a 32-character globally unique identifier (GUID). Each character can be a number from 0-9 or a letter from a-f, and the token is case insensitive. For example, the following is a valid HEC token:
B5A79AAD-D822-46CC-80D1-819F80D7BFB0
.
Agents and clients use a token to authenticate their connections to HEC. When the clients connect, they present this token value. If HEC receives a valid token, it accepts the connection and the client can deliver its payload of application events in either text or JavaScript Object Notation (JSON) format.
HEC receives the events and indexes them based on the configuration of the token. HEC uses the source, source type, and index that was specified in the token. If a forwarding output group configuration exists on a Splunk Enterprise instance, HEC forwards the data to indexers in that output group.
Configure HTTP Event Collector on Splunk Cloud Platform
HEC is enabled by default in Splunk Cloud Platform. You can create, modify, delete, enable, and disable HEC tokens.
Enable HTTP Event Collector on Splunk Cloud Platform
HTTP Event Collector is enabled by default on Splunk Cloud Platform.
Create an Event Collector token on Splunk Cloud Platform
To use HEC, you must configure at least one token. Splunk Cloud Platform distributes the token across the deployment. The token is not ready for use until distribution has completed.
Check Event Collector token distribution status on Splunk Cloud Platform
You can check the distribution status of an HEC token from the HEC token page. When a distribution is in progress, the page displays "Operation in progress" and a progress bar. Otherwise, the page displays "Last deployment status."
- Click Settings > Data Inputs .
- Click HTTP Event Collector .
- Click Operation in progress or Last deployment status .
- View the status of the token distribution.
- Click Close .
Modify an Event Collector token on Splunk Cloud Platform
You can make changes to an HEC token after you create it.
Delete an Event Collector token on Splunk Cloud Platform
You can delete an HEC token. Deleting an HEC token does not affect other HEC tokens, nor does it disable the HEC endpoint.
You cannot undo this action. Clients that use this token to send data to your Splunk deployment can no longer authenticate with the token. You must generate a new token and change the client configuration to use the new value.
- Click Settings > Data Inputs .
- Click HTTP Event Collector .
- Locate the token that you want to delete in the list.
- In the Actions column for that token, click Delete .
- In the Delete Token dialog, click Delete .
Enable and disable Event Collector tokens in Splunk Cloud Platform
You can enable or disable a token from within the HEC management page. Changing the active status of one token does not change the status of other tokens.
- Click Settings > Data Inputs .
- Click HTTP Event Collector .
- In the Actions column for a token, click the Enable link, if the token is not active, or the Disable link, if the token is active. The token status toggles and the link changes to Enable or Disable based on the changed token status.
Configure HTTP Event Collector on Splunk Enterprise
You can enable HEC and create, modify, delete, enable, and disable HEC tokens in Splunk Enterprise.
Enable HTTP Event Collector on Splunk Enterprise
Before you can use Event Collector to receive events through HTTP, you must enable it. For Splunk Enterprise, enable HEC through the Global Settings dialog box.
Confirm that no firewall blocks the port number that you specified in the '''HTTP Port Number''' field, either on the clients or the Splunk instance that hosts HEC.
Create an Event Collector token on Splunk Enterprise
To use HEC, you must configure at least one token.
Modify an Event Collector token on Splunk Enterprise
You can make changes to an HEC token after you have created it.
- Choose a category.
- Select a source type in the pop-up menu that appears.
- (Optional) You can also type in the name of the source type in the text box at the top of the drop-down.
- (Optional) Choose a different index by selecting it in the Available Indexes pane of the Select Allowed Indexes control.
- (Optional) Choose a different output group from the Output Group drop-down list box.
- (Optional) Choose whether you want indexer acknowledgment enabled for the token.
- Click Save .
- Click Settings > Data Inputs .
- Click HTTP Event Collector .
- Locate the token that you want to delete in the list.
- In the Actions column for that token, click Delete .
- In the Delete Token dialog box, click Delete .
- Click Settings > Data Inputs .
- Click HTTP Event Collector .
- In the Actions column for that token, click the Enable link, if the token is not active, or the Disable link, if the token is active. The token status toggles immediately and the link changes to Enable or Disable based on the changed token status.
- HEC must be enabled
- You must have at least one active HEC token available
- You must use an active token to authenticate into HEC
- You must format the data that goes to HEC in a certain way. See Format events for HTTP Event Collector
- You can make an HTTP request using your favorite HTTP client and send your JSON-encoded events.
-
As a developer, you can use the Java, JavaScript (
node.js), and .NET logging libraries in your application to send data to HEC. These libraries are compatible with popular logging frameworks. See Java , JavaScript (Node.js) , and .NET on the Splunk Dev Portal. - <protocol> is either
httporhttps - You must add
http-inputs-before the <host> on AWS. - You must add
http-inputs.before the <host> on GCP, Azure, and AWS Govcloud. - <host> is the Splunk Cloud Platform instance that runs HEC
- You must add the domain .splunkcloud.com after the <host>
- <port> is the HEC port number
- 8088 on Splunk Cloud Platform free trials
- 443 by default on Splunk Cloud Platform instances
- <endpoint> is the HEC endpoint you want to use. In many cases, you use the
/services/collector/eventendpoint for JavaScript Object Notation (JSON)-formatted events or theservices/collector/rawendpoint for raw events - <protocol> is either
httporhttps - <host> is the Splunk instance that runs HEC
- <port> is the HEC port number, which is 8088 by default, but you can change in the HEC Global Settings
- <endpoint> is the HEC endpoint you want to use. In many cases, you use the
/services/collector/eventendpoint for JavaScript Object Notation (JSON)-formatted events or theservices/collector/rawendpoint for raw events - For information about defining forwarding output groups, see Configure forwarders with outputs.conf. You can also set up forwarding in Splunk Web, which generates a default output group called
default-autolb-group. - For information on indexer acknowledgement, see HTTP Event Collector indexer acknowledgment. Indexer acknowledgment in HTTP Event Collector is not the same indexer acknowledgment capability described in indexer acknowledgment and indexer clusters.
- For information about using HEC in Splunk Enterprise, see Set up and use HTTP Event Collector in Splunk Web in the Splunk Enterprise Getting Data In manual.
- For information about using HEC in Splunk Cloud Platform, see Set up and use HTTP Event Collector in Splunk Web in the Splunk Cloud Platform Getting Data In manual.
- For information about using HEC in the Edge Processor service, see Get data into an Edge Processor using HTTP Event Collector in the Splunk Cloud Platform Use Edge Processors manual.
- For developer content on using HTTP Event Collector, see HTTP Event Collector Examples, as well as Introduction to Splunk HTTP Event Collector in the Splunk Developer Portal.
- HEC and Splunk Cloud Platform
- HEC and Splunk Enterprise How the Splunk platform uses HTTP Event Collector tokens to get data in Configure HTTP Event Collector on Splunk Cloud Platform
- Enable HTTP Event Collector on Splunk Cloud Platform
- Create an Event Collector token on Splunk Cloud Platform
- Check Event Collector token distribution status on Splunk Cloud Platform
- Modify an Event Collector token on Splunk Cloud Platform
- Delete an Event Collector token on Splunk Cloud Platform
- Enable and disable Event Collector tokens in Splunk Cloud Platform Configure HTTP Event Collector on Splunk Enterprise
- Enable HTTP Event Collector on Splunk Enterprise
- Create an Event Collector token on Splunk Enterprise
- Modify an Event Collector token on Splunk Enterprise
- Delete an Event Collector token on Splunk Enterprise
- Enable and disable Event Collector tokens on Splunk Enterprise
- Use output groups to specify groups of indexers on Splunk Enterprise Send data to HTTP Event Collector
- Send data to HTTP Event Collector on Splunk Cloud Platform
- Send data to HTTP Event Collector on Splunk Enterprise
- Example of sending data to HEC with an HTTP request
- JSON request and response More information on HEC More information on HEC for developers Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!
Delete an Event Collector token on Splunk Enterprise
You can delete an HEC token. Deleting an HEC token does not affect other HEC tokens, nor does it disable HEC.
You cannot undo this action. Clients that use this token to send data to your Splunk deployment can no longer authenticate with the token. You must generate a new token and change the client configuration to use the new token.
Enable and disable Event Collector tokens on Splunk Enterprise
You can enable or disable a single HEC token from within the HEC management page. Changing the status of one token does not change the status of other tokens. To enable or disable all tokens, use the Global Settings dialog. See Enable the HTTP Event Collector .
To toggle the active status of an HEC token:
Use output groups to specify groups of indexers on Splunk Enterprise
To index large amounts of data, you will likely need multiple indexers. On Splunk Enterprise only, you can specify groups of indexers to handle indexing your HTTP Event Collector data. These groups are called output groups . You can use output groups to, for example, index only certain kinds of data, or data from certain sources.
You configure output groups in the
outputs.conf
configuration file. Specifically, for HTTP Event Collector, edit the
outputs.conf
file at
$SPLUNK_HOME/etc/apps/splunk_httpinput/local/
(
%SPLUNK_HOME%\etc\apps\splunk_httpinput\local\
on Microsoft Windows hosts). If either the
local
directory or the
outputs.conf
file doesn't exist at this location, create it (or both).
HTTP Event Collector is not an app, but it stores its configuration in the
$SPLUNK_HOME/etc/apps/splunk_httpinput/
directory (
%SPLUNK_HOME%\etc\apps\splunk_httpinput\
on Windows) so that its configuration can be easily deployed using built-in app deployment capabilities.
Send data to HTTP Event Collector
You must satisfy all of the following conditions when you send data to HEC:
There are several options for sending data to HTTP Event Collector:
Send data to HTTP Event Collector on Splunk Cloud Platform
You must send data using a specific URI for HEC.
The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>The standard form for the HEC URI in Splunk Cloud Platform on AWS is as follows:
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud or Azure is as follows:
<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>The standard form for the HEC URI in Splunk Cloud Fedramp Moderate on AWS Govcloud is as follows:
<protocol>://http-inputs.<host>.splunkcloudgc.com:<port>/<endpoint> Where:
If you do not include these prefixes before your Splunk Cloud Platform hostname when you send data, the data cannot reach HEC.
Send data to HTTP Event Collector on Splunk Enterprise
You send data to a specific Uniform Resource Indicator (URI) for HEC.
The standard form for the HEC URI in Splunk Enterprise is as follows:
<protocol>://<host>:<port>/<endpoint>Where:
Example of sending data to HEC with an HTTP request
The following example makes a HTTP POST request to the HEC on port 8088 and uses HTTPS for transport. This example uses the
curlcommand to generate the request, but you can use a command line or other tool that better suits your needs.You can configure the network port and HTTP protocol settings independently of settings for other instances of HEC in your Splunk Enterprise or Splunk Cloud Platform deployment.
The following cURL command uses an example HTTP Event Collector token (B5A79AAD-D822-46CC-80D1-819F80D7BFB0), and uses https://hec.example.com as the hostname. Replace these values with your own before running this command.
JSON request and response
When you make a JSON request to send data to HEC, you must specify the "event" key in the command.
The Authorization HTTP header for HEC requires the "Splunk" keyword before the HEC token.
Submit Comment We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here » Closing this box indicates that you accept our Cookie Policy.curl https://hec.example.com:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}' {"text": "Success", "code": 0}More information on HEC
More information on HEC for developers
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
HEC functionality varies based on Splunk software type
Was this topic useful?
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers. out of 1000 Characters
推荐文章
|
威武的小蝌蚪 · In XML Configuration and XML TP Rules, when browsing to select *.ddf, this error is received: ?'Unable to parse XML file: 'ddfnam 2 年前 |
|
|
酷酷的扁豆 · 访问安全 <访问> | Microsoft Learn 2 年前 |