topic Re: Event collector in Splunk Cloud Platform

Event collector: What is the correct format in my search?

danylan — Mon, 06 Jun 2022 03:17:04 GMT

I am following this documentation from GCP [1], which mentions to omit YOUR_SPLUNK_HEC_URL must not include the HEC endpoint path, for example, /services/collector

My question is more specifically related to this section [2], it mentions that format should be

<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>

You must add http-inputs- before the <host>

which one would be the correct url, for eg

https://http-inputs.xxxx.splunkcloud.com:433

https://http-inputs-xxxx.splunkcloud.com:433

Send data to HTTP Event Collector on Splunk Cloud Platform

[1]https://cloud.google.com/architecture/deploying-production-ready-log-exports-to-splunk-using-dataflow#deploy_the_dataflow_pipeline

[2]https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_Splunk_Cloud_Platform

Re: Event collector

somesoni2 — Fri, 03 Jun 2022 15:14:49 GMT

I believe it's with hyphen (see "where:" section in https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector_on_Splunk_Cloud_Platform) where it says "

You must add http-inputs- before the <host>"

Re: Event collector

Roy_9 — Sun, 05 Jun 2022 15:05:20 GMT

hey @danylan,

Please use the below format for streaming the logs via HEC.

https://http-inputs-hostname.splunkcloud.com

endpoint name would be services/collector/event or services/collector/raw.

Also the port name would be 443, i guess you made a typo to 433 below.

Thanks

Re: Event collector

danylan — Mon, 06 Jun 2022 13:36:55 GMT

433 was a typo, thanks. After changing with the hyphen it is still complaining about the url formation

Url format should match PROTOCOL://HOST:PORT]

When following the Splunk docs does it matter if we are on Splunk Cloud Platform or Splunk Enterprise? From the docs it seems the format is a bit different.

Re: Event collector

Roy_9 — Mon, 06 Jun 2022 15:44:12 GMT

yes the format of the url changes on where you are sending the data either to splunk enterprise or splunk cloud.

Currently I am using splunk cloud and we curl from our sources using the below format.

curl -H "Authorization: Splunk <enter hec token>" https://http-inputs-stackname.splunkcloud.com/services/collector/event -d '{"sourcetype": "test", "index": "test", "event": {"message": "Hello world!"}}'

Hope this helps.

Re: Event collector

danylan — Mon, 06 Jun 2022 16:08:03 GMT

@Roy_9 , ty for reply, i appreciate.

I am seeing something different

I am on splunk cloud not on enterprise my token is e6a0b67b-e6d0-418f-a2cd-4493804c7c92

I only get a success with the following

curl -k -H "Authorization: Splunk e6a0b67b-e6d0-418f-a2cd-4493804c7c92" https://prd-p-gap0o .splunkcloud.com:8088/services/collector/event -d '{"sourcetype": "test", "index": "test", "event": {"message": "Hello world!"}}'

#i added -k to allow insecure connection but it does recognize the uri

When i try with http-inputs- it fails

Note: I am on a trial account by the way.

Re: Event collector

Roy_9 — Tue, 07 Jun 2022 16:12:56 GMT

Ok @danylan got it, i remember there will be slight change in url for self service and managed service cloud, please have a look at the documentation.

Not sure about the below error, may be you need to open a fw connection from your machine to https://http-inputs-hostname.splunkcloud.com

If it is resolved, please accept the solution and appreciate you giving karma point.

Thanks