Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- HEC Endpoint
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wan to ingest data from a web application using HEC, but I don't understand where can I get the endpoint URL details, also where can I create a HEC token( SH or HF)? and how can I set the sourcetype.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since Splunk Cloud users do not have access to the indexers, it automatically transfers HEC tokens from the SH to the indexers. That does not happen in Splunk Enterprise - you must define the tokens on the indexers or HFs. Then use the indexer or HF in the HEC URL.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where to Create the HEC Token (SH or HF?)
As a best practice, Search Heads are built primarily for querying, searching, and visualization—not for data ingestion. However, in specialized environments, this behavior may depend on your architecture or requirements.
A Heavy Forwarder is ideal for HEC-It can receive HEC data, parse it, and forward it to indexers.
Create token and sourcetype - Settings > Data Inputs > HTTP Event Collector
You can follow below doc,
#https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/UsetheHTTPEventCollector
Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Earlier I used to work on Splunk cloud, where we used to create a token on SH and provide the endpoint, Now I moved to Enterprise, so wanted to know if I can directly create token on indexer(master or peer node?) then provide the host as indexr in endpoint url. Please respond.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since Splunk Cloud users do not have access to the indexers, it automatically transfers HEC tokens from the SH to the indexers. That does not happen in Splunk Enterprise - you must define the tokens on the indexers or HFs. Then use the indexer or HF in the HEC URL.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understood! Thank you so much for your response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Start with the docs at https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-c.... It's labeled version 10, but should apply to 9.x pretty well.
The endpoint URL is derived from your HF or indexer URL.
https://mysplunkserver.example.com:8088/services/collectorDetails are in the docs.
The sourcetype is specified in the HEC request, again, details in the docs. https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-c...
If this reply helps you, Karma would be appreciated.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
