Sending to Splunk’s HTTP Event Collector

What is HTTP Event Collector?

HTTP Event Collector (HEC) is a high-performance data input introduced with Splunk 6.3. It accepts plain text or JSON data sent via HTTP or HTTPS.

Clients must authenticate with a token in order to be able to send data to a HEC input. Multiple tokens can be generated per HEC input if required.

When to Use HTTP Event Collector?

HTTP Event Collector (HEC) is the only way to send uberAgent data to Splunk Cloud. But it is useful even with on-premises Splunk Enterprises. HEC forces clients to authenticate before being allowed to send and it can use HTTPS as data transport, which qualifies it for sending data over the internet.

uberAgent natively supports HEC. It can send the data it collects to HEC via HTTP or HTTPS.

Configuring HTTP Event Collector in Splunk Enterprise

Enabling HTTP Event Collector

To enable HTTP Event Collector (HEC) for uberAgent follow these steps:

  • From the system bar, click Settings -> Data Inputs
  • On the left side of the page, click HTTP Event Collector
  • In the upper right corner, click Global Settings. The following dialog comes up:

    splunk-http-event-collector-global-settings

  • In the All Tokens toggle button, select Enabled
  • Optionally change the HEC port or enable SSL/TLS
  • Click Save

Creating an HTTP Event Collector Token

To use the HTTP Event Collector, you must configure at least one token. The token is what uberAgent uses when it connects to Event Collector to send data.

To create a HEC token for use with uberAgent follow these steps:

  • From the system bar, click Settings -> Data Inputs
  • On the left side of the page, click HTTP Event Collector
  • In the upper right corner, click New Token. The following dialog comes up:

    splunk-http-event-collector-add-data-01

  • Enter a name (e.g. uberAgent) and click Next. The following dialog comes up:

    splunk-http-event-collector-add-data-02

  • Leave everything at the defaults and click Review
  • On the next page click Submit
  • Copy the token value displayed. In the following screenshot that would be: 10C2F38B-CA7A-4850-8124-7A3191F82DBE

    splunk-http-event-collector-add-data-03

Configuring uberAgent to Send to a HTTP Event Collector Input

To configure uberAgent to send its collected data to HEC the following configuration settings are required:

  • Servers: comma-separated list of URLs starting with http or https, e.g.: http://server1:8088, https://server2:8088
  • Protocol: must be set to HTTP (even when sending via HTTPS)
  • RESTToken: fill in the token created above. The token can optionally be encrypted with the uAEncrypt commandline tool.

Questions?

Do you have questions that were not answered here? Please ask us, we are happy to help!