WebsiteBlogLogin

Splunk HEC

Most recent version: v1.0.1

See the changelog of this Data Sink type here.

Overview

Onum supports integration with Splunk HEC (HTTP Event Collector).

Splunk HEC is an interface that allows applications to send event data to Splunk directly via HTTP or HTTPS. Suppose you have an application that generates log events. Instead of writing these events to a log file and having Splunk read from there, you can configure Onum to send these events directly to Splunk HEC. The application makes an HTTP POST request to Splunk HEC with the events in JSON format and the authentication token. Splunk receives these events in real-time, indexes them, and makes them available for immediate analysis.

Select Splunk HEC from the list of Data Sink types and click Configuration to start.

Data Sink Configuration

Now you need to specify how and where to send the data, and how to establish a connection with Splunk HEC.

Metadata

Enter the basic information for the new Data Sink.

Parameters
Description

Name*

Enter a name for the new Data Sink.

Description

Optionally, enter a description for the Data Sink.

Tags

Add tags to easily identify your Data Sink. Hit the Enter key after you define each tag.

Metrics display

Decide whether or not to include this Data Sink info in the metrics and graphs of the Home area.

Configuration

Now, add the configuration to establish the connection.

Parameter
Description

Splunk instance URL*

Add the URL to connect to your Splunk instance:

  • For on-premises deployments, this will be <protocol>://<host>

  • In Cloud deployment setups, this will be <protocol>://http-inputs-<host>.splunkcloud.com

Find all your instances in My Splunk > Instances.

URL port number*

Connection port. If not specified, port 8088 is used by default.

Authentication method

Choose how to authenticate:

Parameter
Description

Basic

For Basic authentication, enter your Username* and Password*. Select your password from the list of your tenant's Secrets or create a new one.

The username is the same as the one used to log in to the instance via the browser, and the password is the token value you'll use.

Token

For Token authentication, choose the required Token*. Select your token from the list of your tenant's Secrets or create a new one.

Learn how to create and manage your Splunk tokens in this article.

Event format

Choose the format of the message to send:

Parameter
Description

JSON

Choose this option if you want to send your events in JSON format.

Raw

Choose this option if you want to send your events in raw format. Set the following parameters:

  • Channel* - Indicate the ID of the channel used to send events. This helps streamline event searches on the server. Learn more about channels in this article.

  • Source type* - Select the required source type to parse your data from the dropdown list. See here for a comprehensive list.

    • Choose manual if you don't have a specific source type to use.

    • Select none to add a custom source type in the Custom source type* field that appears.

    Learn how to create new source types here.

Advanced configuration

Optionally, you may configure the following advanced settings:

Parameter
Description

Bulk configuration

Activate the Bulk configuration toggle if you want to allow bulk sending. Configure the following parameters:

  • Event time limit* - If the bulk amount is not reached, enter the maximum time lapse between sends (in seconds). The minimum value is 1.

Now, set the conditions to trigger bulk sending:

  • Event amount - Enter the maximum number of events per batch. The minimum value is 1 and the maximum value is 15000 (default).

  • Event size - Enter the maximum number of bytes in each batch. The minimum value is 1 and the maximum value is 5000000 (default).

TLS configuration

Activate the TLS configuration toggle if you want to set a TLS connection. Configure the following parameters:

  • Minimum TLS version* - Choose the minimum TLS version required for incoming connections.

  • Certificate* - Select your CA certificate from the list of your tenant's Secrets or create a new one.

  • Private key* - Select your private key from the list of your tenant's Secrets or create a new one.

By default, the Skip TLS validations toggle is activated. Deactivate it to configure the following:

  • CA chain* - CA chain used by the Data Sink to verify client certificates. Choose it from the list of your tenant's Secrets or create a new one.

  • Subject Alternative Name - Optionally, enter a Subject Alternative Name (SAN) for your TLS connection.

Proxy configuration

If your organization uses proxy servers, activate the Proxy configuration toggle and establish the connection here:

  • Scheme* - Choose the required proxy scheme (HTTP or HTTPS).

  • Host* - Set the required proxy address.

  • Port* - Set the required proxy port.

  • Username - Enter your proxy username.

  • Password - Select your proxy password from the list of your tenant's Secrets or create a new one.

Gzip compression

Activate the Gzip compression toggle to allow using this type of compression.

Pipeline configuration

When it comes to using this Data Sink in a Pipeline, you must configure the following output parameters. To do it, simply click the Data Sink on the canvas and select Configuration.

Output configuration

Parameter
Description

Raw message*

Select the field to include in the output message. The data type must be string.

Splunk metadata

Optionally, you may include the following metadata:

Parameter
Description

Host

Select the field that contains the host information. The data type must be string.

Source

Select the field that contains the source information. The data type must be string.

Index

Select the field that contains the index information. The data type must be string.

PreviousSplunkNextSyslog

Last updated

Was this helpful?