HTTP Event Collector (HEC) is a high-performance data input introduced with Splunk 6.3. It accepts plain text or JSON data sent via HTTP or HTTPS.
Clients must authenticate with a token in order to be able to send data to a HEC input. Multiple tokens can be generated per HEC input if required.
When to Use HTTP Event Collector?
HTTP Event Collector (HEC) is the only way to send uberAgent data to Splunk Cloud. But it is useful even with on-premises Splunk Enterprises. HEC forces clients to authenticate before being allowed to send and it can use HTTPS as data transport, which qualifies it for sending data over the internet.
uberAgent natively supports HEC. It can send the data it collects to HEC via HTTP or HTTPS.
Configuring HTTP Event Collector in Splunk Enterprise
Enabling HTTP Event Collector
To enable HTTP Event Collector (HEC) for uberAgent follow these steps:
From the system bar, click Settings > Data Inputs
On the left side of the page, click HTTP Event Collector
In the upper right corner, click Global Settings. The following dialog comes up:
In the All Tokens toggle button, select Enabled
Optionally change the HEC port or enable SSL/TLS
Note that Splunk’s default self-signed certificate is not trusted by uberAgent if it is not in Windows’ certificate store.
HTTP Event Collector shares SSL settings with the Splunk management server so check your server.conf for SSL configuration details.
Click Save
Creating an HTTP Event Collector Token
To use the HTTP Event Collector, you must configure at least one token. The token is what uberAgent uses when it connects to Event Collector to send data.
To create an HEC token for use with uberAgent follow these steps:
From the system bar, click Settings > Data Inputs
On the left side of the page, click HTTP Event Collector
In the upper right corner, click New Token. The following dialog comes up:
Enter a name (e.g. uberAgent) and click Next. The following dialog comes up:
Leave everything at the defaults and click Review
On the next page click Submit
Copy the token value displayed. In the following screenshot that would be: 10C2F38B-CA7A-4850-8124-7A3191F82DBE
Configuring uberAgent to Send to an HTTP Event Collector Input
To configure uberAgent to send its collected data to HEC the following configuration settings are required:
Servers: comma-separated list of URLs starting with http or https, e.g.: http://server1:8088, https://server2:8088
Protocol: must be set to HTTP (even when sending via HTTPS)
RESTToken: fill in the token created above. The token can optionally be encrypted with the uAEncrypt commandline tool.
Configuring Splunk’s HTTP Event Collector
In this article
What is HTTP Event Collector?
HTTP Event Collector (HEC) is a high-performance data input introduced with Splunk 6.3. It accepts plain text or JSON data sent via HTTP or HTTPS.
Clients must authenticate with a token in order to be able to send data to a HEC input. Multiple tokens can be generated per HEC input if required.
When to Use HTTP Event Collector?
HTTP Event Collector (HEC) is the only way to send uberAgent data to Splunk Cloud. But it is useful even with on-premises Splunk Enterprises. HEC forces clients to authenticate before being allowed to send and it can use HTTPS as data transport, which qualifies it for sending data over the internet.
uberAgent natively supports HEC. It can send the data it collects to HEC via HTTP or HTTPS.
Configuring HTTP Event Collector in Splunk Enterprise
Enabling HTTP Event Collector
To enable HTTP Event Collector (HEC) for uberAgent follow these steps:
Creating an HTTP Event Collector Token
To use the HTTP Event Collector, you must configure at least one token. The token is what uberAgent uses when it connects to Event Collector to send data.
To create an HEC token for use with uberAgent follow these steps:
Configuring uberAgent to Send to an HTTP Event Collector Input
To configure uberAgent to send its collected data to HEC the following configuration settings are required:
http://server1:8088, https://server2:8088