Dashboards & Visualizations

How to set up HTTP event collector in a search head cluster, and does the token need to be in a specific format?

Communicator

I do not see an option for http event collector in Splunk Web.
We have a search head cluster and an indexer cluster.
Should I create an app on the deployer and push the configuration to all search heads?
Also, another question is the token which needs to be generated. Does it have to be in any specific format or can any random token can work?

Thanks a ton.

0 Karma

Path Finder

After I disabled SSL, it could connect... However, I'm getting the following:

$ curl -k  http://localhost:8088/services/collector/event -H "Authorization: Splunk 3C9B0C01-F531-46F1-9F49-C27347C6FE7C" -d '{"event": "hello world"}'
{"text":"Data channel is missing","code":10}

Did the format change? What's the new version?

Path Finder

SplunkTrust
SplunkTrust

HTTP event collector is another form of input in splunk and using inputs.conf in splunk.
Search head cluster does not allow data inputs from web and inputs.conf is not part of the replicating configuration file list. Information about SHC replication is available here HowconfrepoworksinSHC.

HEC can be configured in different ways depends on your infrastructure design and few of them are mentioned under HEC. If you would like to configure HEC on search heads, it's suggested to use deployer as mentioned in Propagate SHC configuratio nchanges.

Regarding the token, it's suggested to leave to splunk to create tokens for you and the only restriction mentioned in the documents is The token must be a GUID, and must be unique.

0 Karma

Communicator

We have a 3 node Search Head Cluster, ver6.3
4 indexer cluster , ver6.3
2 heavy forwarder, ver6.1
Cluster Master , ver6.3
and a Deployer , ver6.3

We tried to create a token on the cluster master, as its a stand alone machine (and, ver6.3). Configured the outputs.conf.
Used the following command to generate a token

 /opt/splunk/bin/splunk http-event-collector create new-token "SOAHTTPPROD" -index np_dpa -uri "https://p01apl388.:8089"

When I run the following command I get an error: " curl: (56) Recv failure: Connection reset by peer"

curl -k http://p01apl388:8088/services/collector/event/ -H " Authorization: Splunk CA3DEC9C-B060-495A-BD6E-C7BB8CE7039D" -d '{"event": "hello world"}'

One shot indexes data from cluster master

./splunk add oneshot "/opt/splunk/testevent.log" -index np_dpa -sourcetype SOA:PROD:HTTPEVEN

nc -v p01apl388 8088 shows connection successful

Not sure whats the issue here.

Thanks a ton for looking into this @renjith.nair

0 Karma

Splunk Employee
Splunk Employee

Is HEC configured for non-HTTPS ? Put differently, are you posting over HTTP to an HTTPS-only endpoint ?

0 Karma

Communicator

hi @tmuth_splunk can you please throw some light on what should I be checking?
Right now I am trying to send a test event using curl from the same host where HEC is configured to the indexers,

0 Karma

Splunk Employee
Splunk Employee

Settings > Data Inputs > HTTP Event Collector > "Global Settings" button at top > "Enable SSL" checkbox (checked by default)