Getting data in with HTTP Event Collector

You can use HTTP Event Collector (HEC) to get data into Splunk Enterprise or Splunk Cloud. This topic describes a few slight differences involved in sending data to the two products, and tells you where to go for more information about getting data in:

Splunk Cloud

To get data into Splunk Cloud using HEC, note the following requirements:

  • HEC is supported on both self-service Splunk Cloud and managed Splunk Cloud.
  • HEC is disabled by default. You enable it in managed Splunk Cloud by opening a support ticket with Splunk Support. You enable it in self-service Splunk Cloud by going to Settings > Data Inputs > HTTP Event Collector > Global Settings, and then clicking Enabled next to All Tokens.
  • You send data to a HEC-specific URI. The standard form for the HEC URI in self-service Splunk Cloud is as follows:
    <protocol>://input-<host>:<port>/<endpoint>
    The standard form for the HEC URI in managed Splunk Cloud is as follows:
    <protocol>://http-inputs-<host>:<port>/<endpoint>
    • <protocol>: Either http or https.
    • <host>: Your Splunk Enterprise instance's URI.
      • For self-service Splunk Cloud plans, pre-pend the hostname with input-.
      • For managed Splunk Cloud plans, pre-pend the hostname with http-inputs-
      Note: Failing to include these prefixes before your Splunk Cloud hostname will prevent data from reaching HEC.
    • <port>: The HEC port number, which is 8088.
    • <endpoint>: The HEC endpoint you want to use. You will likely use the /services/collector endpoint for JSON-formatted events or the services/collector/raw endpoint for raw events.
  • You must authenticate to the Splunk server using one of the HEC tokens you created on the server. You have several ways to authenticate to the server:
    • HTTP Authentication: Place the token in the authorization header of each HTTP request as follows:

      -H "Authorization: Splunk <hec_token>" 

      In context:

      curl -k -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://http-inputs-mysplunkcloud.example.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}'
    • Basic authentication: Include a colon-separated user/password pair in the request after -u, inserting the HEC token as the <password>: "<user>:<password>". The <user> can be any string. For example:

      -u "x:<hec_token>" 

      In context:

      curl -k -u "x:12345678-1234-1234-1234-1234567890AB" https://http-inputs-mysplunkcloud.example.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "basic auth ftw!"}'
    • Query string: Specify the HEC token as a query string in the URL that you specify in your queries to HEC. For example:

      ?token=<hec_token> 

      In context:

      curl -k https://http-inputs-mysplunkcloud.example.com:8088/services/collector/event?token=12345678-1234-1234-1234-1234567890AB -d '{"sourcetype": "mysourcetype", "event": "query string ftw!"}'

    For more information about HEC tokens, see HTTP Event Collector token management.

  • Your data must be formatted a certain way, as described in Format events for HTTP Event Collector. To learn how to format events with custom fields that are created at index time, see Indexed field extractions.

Splunk Enterprise

To get data into Splunk Enterprise using HEC, note the following requirements:

  • Splunk Enterprise 6.3.0 or later is required for HEC support. Splunk Enterprise 6.4.0 and later is required for both raw event parsing and indexer acknowledgment.
  • HEC is disabled by default. You enable it by going to Settings > Data Inputs > HTTP Event Collector > Global Settings, and then clicking Enabled next to All Tokens.
  • You send data to a HEC-specific URI. The standard form for the HEC URI in Splunk Enterprise is as follows:
    <protocol>://<host>:<port>/<endpoint>
    • <protocol>: Either http or https.
    • <host>: Your Splunk Enterprise instance's URI.
    • <port>: The HEC port number. The default port number is 8088, but you can change it in HTTP Event Collector Global Settings (Settings > Data Inputs > HTTP Event Collector > Global Settings).
    • <endpoint>: The HEC endpoint you want to use. You will likely use the /services/collector endpoint for JSON-formatted events or the services/collector/raw endpoint for raw events.
  • You must authenticate to the Splunk server using one of the HEC tokens you created on the server. You have several ways to authenticate to the server:
    • HTTP Authentication: Place the token in the authorization header of each HTTP request as follows:

      -H "Authorization: Splunk <hec_token>" 

      In context:

      curl -k -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://http-inputs-mysplunkcloud.example.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}'
    • Basic authentication: Include a colon-separated user/password pair in the request after -u, inserting the HEC token as the <password>: "<user>:<password>". The <user> can be any string. For example:

      -u "x:<hec_token>" 

      In context:

      curl -k -u "x:12345678-1234-1234-1234-1234567890AB" https://mysplunkcloud.example.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "basic auth ftw!"}'

    For more information about HEC tokens, see HTTP Event Collector token management.

  • Your data must be formatted a certain way, as described in Format events for HTTP Event Collector. To learn how to format events with custom fields that are created at index time, see Indexed field extractions.

You can also learn more about advanced features such as using HEC on Splunk Enterprise in a distributed Splunk environment, and using HEC with indexer acknowledgement.

Ways to get data in

There are many ways to get data into Splunk Enterprise or Splunk Cloud using HTTP Event Collector: