https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/504547#M85996 <P>Query string authentication can be enabled on a per-token basis.</P><OL><LI>On the Splunk server, edit the file at $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf . Tokens are listed by name in this file, in the form http://&lt;token_name&gt; .&nbsp;</LI><LI><SPAN>Within the stanza for each token that needs to enable query string authentication, add the following setting (or change the existing setting, if applicable):&nbsp;</SPAN><PRE>allowQueryStringAuth = true</PRE></LI><LI><SPAN>Save and close the inputs.conf file and restart Splunk service to reload configuration.</SPAN></LI></OL><LI-CODE lang="markup">For Splunk Cloud, you must open a Splunk Support ticket to set allowQueryStringAuth to true. Support for a toggle in Splunk Web for this setting is planned for a future release.</LI-CODE><P>HEC token can then be specified as a query string in the URL in the format:</P><PRE>?token=&lt;hec_token&gt;</PRE><P><STRONG>For example:</STRONG></P><PRE>curl -k "https://my-splunk-hec.example.com:8088/services/collector/raw?token=91dfd4e5-da4f-4861-89dd-dcdec19067fb&amp;channel=8cf7407d-fa98-4d97-9b7b-5f5902aa7744&amp;sourcetype=mydata" -d '1, 2, 3... Hello, world!'</PRE><P>&nbsp;</P> Tue, 16 Jun 2020 06:58:05 GMT nmadhok 2020-06-16T06:58:05Z https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/504537#M85995 <P>Wanting to forward all raw events from Client/Application to a specified HTTP Event Collector (HEC) endpoint/URL for on-prem/self-hosted Splunk environment but Client/Application only allows for a URL to be specified and does not allow specifying the HEC token in authorization header for HTTP Authentication or including it in basic authentication request.&nbsp;</P><P><SPAN>How can the raw events be ingested into on-prem/self hosted Splunk using HTTP Event Collector (HEC) input&nbsp;without an Authorization header?&nbsp;</SPAN>Is it possible to specify the HEC token as a query string/parameter in the URL itself?</P> Tue, 16 Jun 2020 06:19:04 GMT https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/504537#M85995 nmadhok 2020-06-16T06:19:04Z https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/504547#M85996 <P>Query string authentication can be enabled on a per-token basis.</P><OL><LI>On the Splunk server, edit the file at $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf . Tokens are listed by name in this file, in the form http://&lt;token_name&gt; .&nbsp;</LI><LI><SPAN>Within the stanza for each token that needs to enable query string authentication, add the following setting (or change the existing setting, if applicable):&nbsp;</SPAN><PRE>allowQueryStringAuth = true</PRE></LI><LI><SPAN>Save and close the inputs.conf file and restart Splunk service to reload configuration.</SPAN></LI></OL><LI-CODE lang="markup">For Splunk Cloud, you must open a Splunk Support ticket to set allowQueryStringAuth to true. Support for a toggle in Splunk Web for this setting is planned for a future release.</LI-CODE><P>HEC token can then be specified as a query string in the URL in the format:</P><PRE>?token=&lt;hec_token&gt;</PRE><P><STRONG>For example:</STRONG></P><PRE>curl -k "https://my-splunk-hec.example.com:8088/services/collector/raw?token=91dfd4e5-da4f-4861-89dd-dcdec19067fb&amp;channel=8cf7407d-fa98-4d97-9b7b-5f5902aa7744&amp;sourcetype=mydata" -d '1, 2, 3... Hello, world!'</PRE><P>&nbsp;</P> Tue, 16 Jun 2020 06:58:05 GMT https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/504547#M85996 nmadhok 2020-06-16T06:58:05Z https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/506077#M86195 <P>This is awesome. Thanks much for sharing it!</P> Thu, 25 Jun 2020 00:39:52 GMT https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/506077#M86195 Matheus_Vieira 2020-06-25T00:39:52Z https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/710281#M117319 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kpatil_0-1738257740787.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34306i38BD906C6528B232/image-size/medium?v=v2&amp;px=400" role="button" title="kpatil_0-1738257740787.png" alt="kpatil_0-1738257740787.png" /></span></P><P>I'm doing POC using Splunk Trail and HEC to ingest audit log from Enterprise CMS [Sitecore], Sitecore doesn't support Authorization Header. So, I would like to enable query string authorization for my trail splunk cloud instance. But I'm unable to create ticket as one of the option is loading, tried call etc. But no luck. Can anyone help me getting connected to&nbsp; splunk support?</P><P>"</P><LI-CODE lang="markup">For Splunk Cloud, you must open a Splunk Support ticket to set allowQueryStringAuth to true. Support for a toggle in Splunk Web for this setting is planned for a future release.</LI-CODE><P>As per above comment, this configuration is added in splunk web? I couldn't find it. But might be looking at wrong place. Thanks, appreciate your help!</P> Thu, 30 Jan 2025 17:25:13 GMT https://community.splunk.com/t5/Getting-Data-In/Posting-data-to-HTTP-Event-Collector-HEC-without-passing-HEC/m-p/710281#M117319 kpatil 2025-01-30T17:25:13Z