Use the CLI to administer HTTP Event Collector

You can use the http-event-collector parameter with HTTP Event Collector-specific CLI commands and options to administer a HTTP Event Collector instance on a Splunk Enterprise server. This topic lists the available HTTP Event Collector options.

If you are unfamiliar with the CLI, start here:

HTTP Event Collector-specific CLI syntax

When administering HTTP Event Collector via the CLI, use the following syntax for all commands except send:

splunk http-event-collector <command> <token-name> [<option2>] [<-parameter1> <value1>] [<-parameter2> <value2>] <data>

All HTTP Event Collector commands (except for send) assume that the first option following the command name is the name of the token. In addition, the create command assumes that the second option is a description of the token in quotation marks.

Use the following syntax for the send command:

splunk http-event-collector send -uri <uri_value> -name <token-name> <data>

To apply CLI commands to the global configuration, leave out the token name. For example, the following enables HTTP Event Collector:

splunk http-event-collector enable -uri <uri_value> <data>

Supported CLI commands

The following HTTP Event Collector-specific CLI commands are supported:

Command

Description

create

Create a new token.

delete

Remove a token.

list

Show all available tokens.

update

Change token properties.

enable

Enable a token.

disable

Disable a token.

help

Show help.

send

Send data to an endpoint.


Supported CLI parameters

The following HTTP Event Collector-specific CLI parameters are supported. Parameters must be followed by the value to which the parameter is being set. Any values that include spaces must be surrounded by quotation marks.

Parameter

Description

-uri

The URI of the Splunk server in the form: scheme://host:port. As an alternative to setting this parameter, you can set the $SPLUNK_URI environment variable instead. Be aware that the port number to use should be the management port of your Splunk server (by default, 8089), and not the HTTP Event Collector port (by default, 8088).

-auth

Splunk server user authentication in the form: username:password. If this parameter is missing, you are prompted for a username and password.

-name

The name of the token.

-disabled

Whether to disable the token. 1 indicates true; 0 indicates false.

-description

A description of the token.

-indexes

A list of indexes accepted by the token.

-index

The token's default index. Splunk Enterprise assigns this value to data that doesn't already have an index value set.

-source

The token's default source value. Splunk Enterprise assigns this value to data that doesn't already have a source value set.

-sourcetype

The token's default sourcetype value. Splunk Enterprise assigns this value to data that doesn't already have a sourcetype value set.

-outputgroup

The token's default outputgroup value. An output group is a group of indexers set up by the Splunk software administrator to index the data. Splunk Enterprise assigns this value to data that doesn't already have an outputgroup value set.

-port

The HTTP Event Collector server port. The default value is 8088, but you can change it using this parameter.

-enable-ssl

Whether the HTTP Event Collector server's protocol is HTTP or HTTPS. 1 indicates HTTPS; 0 indicates HTTP.

-dedicated-io-threads

The number of dispatcher threads on the HTTP Event Collector server. The default value is 2. This setting should not be altered unless you have been requested to do so by Splunk Support. The value of this parameter should never be more than the number of physical CPU cores on your Splunk Enterprise server.

-output-format

The output format. txt indicates text; json indicates JSON. The default value is txt.


Example CLI syntax

The following example CLI entry creates a token called "new-token," assigns it the given URI, gives it a description (in quotation marks), sets it to disabled, and indicates HTTP Event Collector data should be saved to the "log" index.

splunk http-event-collector create new-token -uri https://localhost:8089 "this is a new token" -disabled 1 -index log

The following example CLI entry enables the token called "myapp," assigns it the given URI, and sets the user authentication as shown:

splunk http-event-collector enable -name myapp -uri https://localhost:8089 -auth admin:changeme

The following example CLI entry sends data ("this is some data") to HTTP Event Collector using the given token and URI.

splunk http-event-collector send -uri https://localhost:8089 -token my-token {"this is some data"}