Splunk HEC
Current version v0.0.5
Last updated
Was this helpful?
Current version v0.0.5
Last updated
Was this helpful?
See the changelog of this Sink .
Splunk HEC (HTTP Event Collector) is an interface that allows applications to send event data to Splunk directly via HTTP or HTTPS. Suppose you have an application that generates log events. Instead of writing these events to a log file and having Splunk read from there, you can configure Onum to send these events directly to Splunk HEC. The application makes an HTTP POST request to Splunk HEC with the events in JSON format and the authentication token. Splunk receives these events in real-time, indexes them, and makes them available for immediate analysis.
This sink allows us to send events to SplunkHec in both Raw and JSON formats.
Select Splunk HEC from the list of Types and click Configuration.
Now you need to specify how and where to send the data, and how to establish a connection with Slack.
Enter the basic information for the new Data Sink.
Name*
Enter a name for the new Data Sink.
Description
Optionally, enter a description for the Data Sink.
Tags
Add tags to easily identify your Sink. Hit the Enter key after you define each tag.
Decide whether or not to include this Data sink info in the metrics and graphs of the Home area.
Now add the configuration to establish the connection.
Splunk instance URL*
Add the URL to connect to your Splunk instance.
- In Cloud deployment setups, this will be:<protocol>://http-inputs-<host>.splunkcloud.com:<port>
- For On-Premise deployment, this will be: <protocol>://<host>.splunkcloud.com:<port>
Find all your instances in My Splunk>Instances.
URL port number*
Connection port. If not specified, port 8088 is used by default.
Channel instance URL
If you need to connect to a specific channel. This helps streamline event searches on the server. Required if the data format is Raw.
Authentication method*
Choose how to authenticate, between Token and Basic. Later, you can enter the credentials for the selected method.
Event format*
Decide how the event enters: JSON or Raw.
Bulk Configuration
Bulk allow *
True to set a bulk amount or false to ignore.
Event amount
If you have selected true, enter the number of events per batch.
Event time limit
If the bulk amount is not reached, enter the maximum time (in seconds) lapse between sends.
Next, enter your authentication parameters according to the previously-selected Method (either Token or Basic).
If you selected Basic, configure which user to authenticate access for.
Username
The username is the same as the one used to log into the instance via the browser.
Password
The token value you'll use.
If you selected Token, configure the settings here.
After logging in to your Splunk Cloud instance using your Splunk account credentials, go to the Splunk Cloud dashboard.
Select Settings and find the list of Tokens. Copy it to your clipboard to start using it in your Sink.
Use the token or script to authenticate requests to your Splunk Cloud instance. Typically, the token is sent in the authorization header of HTTP requests.
Token
Here you must select or create the secrets containing the TLS certificate chain if needed.
CA Certificate
Raw event sending with token authentication:
When it comes to using this sink in a Pipeline, you must configure the output parameters:
Sourcetype instance URL: select the source type from the drop-down. See here for a comprehensive list.
Select none to add a custom source type in the next window field.
Custom sourcetype: using a custom source type allows you to enter your personalized Splunk HEC sourcetype.
Message: select the fields to include in the output message.
Select or create the containing these values. The correct format isSplunk token (Splunk as the prefix).
Select or create the containing these values.
