Dashboards & Visualizations

How to create HEC token through an API call?

sathiyaraj1983
Explorer

Would like to create an HEC token based on an api call.

Whenever a new instance (EC2) is coming up, it would make a call to splunk enterprise using the api gateway. splunk enterpise may need to create an HEC token and send a response back to the EC2 instance.

Later, the HEC token created will be mapped to an index and other conf file would be changed.

Question is:
"Is there a way to create HEC token on API call ?"
post the creation of HEC token, is there a way to find the same

0 Karma

devopsadmin
New Member

well after searching  a bit, i got this link which suggest what needs to be done

https://docs.splunk.com/Documentation/Splunk/8.0.6/RESTTUT/RESTandCloud

0 Karma

devopsadmin
New Member

 hi there,

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http -d name=myapp

above curl works well and generates token.

 

How to replicate same for self-service Splunk Cloud as i have tried above command on my trial Splunk Cloud account with below command

```

curl -k -v -u admin:pass https://prd-p-aadrg.splunkcloud.com:8089/servicesNS/nobody/search/data/inputs/http -d name=myapp

```

and nmap shows that only three ports are open

```

Starting Nmap 7.60 ( https://nmap.org ) at 2020-10-14 11:30 IST
Nmap scan report for prd-p-aadrg.splunkcloud.com (100.24.234.228)
Host is up (0.23s latency).
rDNS record for 100.24.234.228: ec2-100-24-234-228.compute-1.amazonaws.com
Not shown: 9998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8088/tcp open radan-http

```

 

same above command on port 8088 returns below error

 

```

{"text":"The requested URL was not found on this server.","code":404}

```

So how to create http-event token for Self-service Splunk Cloud using REST api calls.

0 Karma

Aftab_alam
Explorer

,You might be able to solve this as below
- Use curl to get token
- build conf file -> upload it to a git repo/s3 and then a schedule job sync these conf files to Splunk deployment server.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Yes you can create HEC Token using Splunk REST API , have a look at this documentation https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTinput#data.2Finputs.2Fhttp

I have created sample token in my lab and it is working fine and below command I have used. You can create python script to achieve this and when you fire below REST API it will provide Response in which token value will be there

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http -d name=test -d index=main -d indexes=main,summary

sathiyaraj1983
Explorer

it is possible to call a script to create a index.conf file, on completion of above said Restapi call.
would like to create the HEC using dummy index, then a script to create index.conf to deploy across the index cluster. post index.conf deployment, a script to call input.conf to update the index name.

0 Karma

Aftab_alam
Explorer

Can you see this help
- curl command to get token
- build conf files and then move them in a git repo
- have a schedule sync job to sync all conf file between git repo and deployment server

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

You can create python script with Splunk Python SDK to create HEC token and then when you will get 200 response from Splunk invoke your other script.

0 Karma

NanSplk01
Path Finder

Do you have an example of the rest call you used to create the HEC?  

0 Karma

Presses
New Member

@harsmarvania57 you mention creating HEC using Splunk Python SDK - would you please elaborate on that as I could not find anything on this in the SDK doc. Kindly please help.

 

 

Thanks

0 Karma

sathiyaraj1983
Explorer

appreciate your help so far,
my requirement is.....
1) for a api call from EC2 instance,Create a HEC token and send a respond back .
2) on creating HEC token, further do a subsequent call to create index.conf, auth.conf and deploy it to the cluster.

so far i have achieved the step 1, HEC token got created and responded back to the API call with HEC token.

Now,would like to know, how can i do a subsequent call(post the Rest api call to create HEC token) to create index.conf

0 Karma

sathiyaraj1983
Explorer

Thanks for the help.
Yes, using the curl command, i have created the HEC token. but my requirement here is.

1) On Creating HEC token using a dummy index. should trigger a script, which should in-turn create the index.conf and push it to deployment server and then callback rest api to update the index details in input.conf for respective HEC token.

the challenge it to invoke a script, on creation of HEC token

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...