Splunk HEC

Current version v0.0.5

See the changelog of this Sink .

Overview

Splunk HEC (HTTP Event Collector) is an interface that allows applications to send event data to Splunk directly via HTTP or HTTPS. Suppose you have an application that generates log events. Instead of writing these events to a log file and having Splunk read from there, you can configure Onum to send these events directly to Splunk HEC. The application makes an HTTP POST request to Splunk HEC with the events in JSON format and the authentication token. Splunk receives these events in real-time, indexes them, and makes them available for immediate analysis.

This sink allows us to send events to SplunkHec in both Raw and JSON formats.

Select Splunk HEC from the list of Types and click Configuration.

Configuration

Now you need to specify how and where to send the data, and how to establish a connection with Slack.

Metadata

Enter the basic information for the new Data Sink.

Parameters

Description

Name*

Enter a name for the new Data Sink.

Description

Optionally, enter a description for the Data Sink.

Tags

Add tags to easily identify your Sink. Hit the Enter key after you define each tag.

Metrics

Decide whether or not to include this Data sink info in the metrics and graphs of the Home area.

Configuration

Now add the configuration to establish the connection.

Where to find the credentials

Using Splunk Tokens

After logging in to your Splunk Cloud instance using your Splunk account credentials, go to the Splunk Cloud dashboard.

Select Settings and find the list of Tokens. Copy it to your clipboard to start using it in your Sink.

Use the token or script to authenticate requests to your Splunk Cloud instance. Typically, the token is sent in the authorization header of HTTP requests.

Configure an Event Collector

Once inside the server, configure the Event Collector to receive data along with the access token.

On the main screen, open the Settings menu and select Data Inputs.
Choose the HTTP Event Collector option.
Set an access token for authentication.Select the New Token option in the top-right corner to access the token configuration screen. our token.
Set the token name.
Select at least the main index for quicker event searching.
Save the created token's value.
Save the created token's value.

Search for Received Events

On the main screen, go to Search & Reporting. You can search by parameters like index or sourceType. For more information, refer to Splunk's official documentation.

Once your instance is created, you can process to build your sink.

Splunk instance URL* - add the URL to connect to your Splunk instance.
In Cloud deployment setups, this will be:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>

For On-Premise deployment, this will be:

<protocol>://<host>.splunkcloud.com:<port>

URL port number* - Connection port. If not specified, port 8088 is used by default.
Channel instance URL - if you need to connect to a specific channel. This helps streamline event searches on the server. Required if the data format is Raw.
Authentication method* - choose how to authenticate, between Token and Basic. Later, you can enter the credentials for the selected method.
Event format* - decide how the event enters: JSON or Raw.

Bulk Configuration

Bulk allow * - true to set a bulk amount or false to ignore.
Event amount - If you have selected true, enter the number of events per batch.
Event time limit - If the bulk amount is not reached, enter the maximum time (in seconds) lapse between sends.

Next, enter your authentication parameters according to the previously-selected Method (either Token or Basic).

Basic Authentication Parameters

If you selected Basic, configure which user to authenticate access for.

Username - the username is the same as the one used to log into the instance via the browser
Password -the token value you'll use.

Token Authentication Parameters

If you selected Token, configure the settings here.

Token - select or create the secrets containing these values. The correct format isSplunk token (Splunk as the prefix).

TLS configuration

Here you must select or create the secrets containing the TLS certificate chain if needed.

CA Certificate - select or create the secrets containing these values.

Proxy Configuration

If your organization uses proxy servers, establish the connection here.

Proxy Address
Proxy Port
Proxy Username
Proxy Password
Proxy Scheme

Example Configuration

Raw event sending with token authentication:

{
    "splunkURL": "https://prd-p-y4gmf.splunkcloud.com",
    "sourcetype": "manual",
    "authType": "tokenAuth",
    "channel": "00872DC6-AC83-4EDE-8AFE-8413C3825C4C",   
    "tokenAuthParams": {
        "authToken": {
            "Value": "Splunk 83649b09-5ab3-4d6e-93be-d0ed2ecf2a85"
        }       
    },  
    "bulkConfiguration": {
        "bulkAllow": true,
        "eventMaxAmount": 2,
        "eventMaxTime": 1
    },
    "eventFormat": "raw",
    "messageInField": "message"

Output configuration

When it comes to using this sink in a Pipeline, you must configure the output parameters:

Sourcetype instance URL: select the source type from the drop-down. See here for a comprehensive list.
- Select none to add a custom source type in the next window field.
Custom sourcetype: using a custom source type allows you to enter your personalized Splunk HEC sourcetype.
Message: select the fields to include in the output message.

PreviousSlack NextSyslog

Last updated 3 days ago

Was this helpful?