Splunk HEC
Most recent version: v1.0.0
Last updated
Was this helpful?
Most recent version: v1.0.0
Last updated
Was this helpful?
Splunk HEC is an interface that allows applications to send event data to Splunk directly via HTTP or HTTPS. Suppose you have an application that generates log events. Instead of writing these events to a log file and having Splunk read from there, you can configure Onum to send these events directly to Splunk HEC. The application makes an HTTP POST request to Splunk HEC with the events in JSON format and the authentication token. Splunk receives these events in real-time, indexes them, and makes them available for immediate analysis.
Select Splunk HEC from the list of Data Sink types and click Configuration to start.
Now you need to specify how and where to send the data, and how to establish a connection with Splunk HEC.
Enter the basic information for the new Data Sink.
Name*
Enter a name for the new Data Sink.
Description
Optionally, enter a description for the Data Sink.
Tags
Add tags to easily identify your Data Sink. Hit the Enter key after you define each tag.
Now, add the configuration to establish the connection.
Splunk instance URL*
Add the URL to connect to your Splunk instance:
For on-premises deployments, this will be <protocol>://<host>
In Cloud deployment setups, this will be <protocol>://http-inputs-<host>.splunkcloud.com
Find all your instances in My Splunk > Instances.
URL port number*
Connection port. If not specified, port 8088 is used by default.
Choose how to authenticate:
Basic
The username is the same as the one used to log in to the instance via the browser, and the password is the token value you'll use.
Token
Choose the format of the message to send:
JSON
Choose this option if you want to send your events in JSON format.
Raw
Choose this option if you want to send your events in raw format. Set the following parameters:
Choose manual if you don't have a specific source type to use.
Select none to add a custom source type in the Custom source type* field that appears.
Optionally, you may configure the following advanced settings:
Bulk configuration
Activate the Bulk configuration toggle if you want to allow bulk sending. Configure the following parameters:
Event time limit* - If the bulk amount is not reached, enter the maximum time lapse between sends (in seconds). The minimum value is 1.
Now, set the conditions to trigger bulk sending:
Event amount - Enter the maximum number of events per batch. The minimum value is 1.
Event size - Enter the maximum number of bytes in each batch. The minimum value is 1 and the default value is 5000000.
TLS configuration
Activate the TLS configuration toggle if you want to set a TLS connection. Configure the following parameters:
Minimum TLS version* - Choose the minimum TLS version required for incoming connections.
By default, the Skip TLS validations toggle is activated. Deactivate it to configure the following:
Subject Alternative Name - Optionally, enter a Subject Alternative Name (SAN) for your TLS connection.
Proxy configuration
If your organization uses proxy servers, activate the Proxy configuration toggle and establish the connection here:
Scheme* - Choose the required proxy scheme (HTTP or HTTPS).
Host* - Set the required proxy address.
Port* - Set the required proxy port.
Username - Enter your proxy username.
Gzip compression
Activate the Gzip compression toggle to allow using this type of compression.
Raw message*
Select the field to include in the output message. The data type must be string.
Optionally, you may include the following metadata:
Host
Select the field that contains the host information. The data type must be string.
Source
Select the field that contains the source information. The data type must be string.
Index
Select the field that contains the index information. The data type must be string.
Onum supports integration with .
Decide whether or not to include this Data Sink info in the metrics and graphs of the area.
For Basic authentication, enter your Username* and Password*. Select your password from the list of your tenant's or create a new one.
For Token authentication, choose the required Token*. Select your token from the list of your tenant's or create a new one.
Learn how to create and manage your Splunk tokens in .
Channel* - Indicate the ID of the channel used to send events. This helps streamline event searches on the server. Learn more about channels in .
Source type* - Select the required source type to parse your data from the dropdown list.
Learn how to create new source types .
Certificate* - Select your CA certificate from the list of your tenant's or create a new one.
Private key* - Select your private key from the list of your tenant's or create a new one.
CA chain* - CA chain used by the Data Sink to verify client certificates. Choose it from the list of your tenant's or create a new one.
Password - Select your proxy password from the list of your tenant's or create a new one.
When it comes to using this Data Sink in a , you must configure the following output parameters. To do it, simply click the Data Sink on the canvas and select Configuration.
