Getting Data In

How to send data from Universal forwarder to Splunk cloud over HTTP (HEC)?


I'm trying to send data from Splunk universal forwarder (latest) to the Splunk cloud over HTTP event collector.

I have done the below steps:

1) Downloaded "Universal forwarder credentials" from our Splunk cloud and installed on Splunk universal forwarder machine.

2) Configured "outputs.conf" file as below       

httpEventCollectorToken = <http_token>
uri = https://<splunkcloud_url>:443 



http_proxy =http://ip:port
https_proxy = http://ip:port


3) Tested using CURL command:  I can send data to Splunk cloud  
Response: {"text":"Success","code":0}

curl https://<splunk cloud endpoint:443> /services/collector  -H "Authorization: Splunk <HEC TOKEN>" -d '{"event": "hello world"}'

 With the above configurations , I couldnot send data to Splunk cloud.. What do i miss here?

 1) Where do I need to configure "inputs.conf" , "outputs.conf " and "server.conf"  in ----> ...etc/system/local  (OR) ...etc/apps/100_splunkcloud/local   (OR)  etc/apps/splunk_httpinput/local   ?

2) If don't configure inputs.conf in local, as per the default inputs.conf, I should see _internal, _audit logs of UF right?

How can I troubleshoot this issue to send data from UF to Splunk cloud over http? Any help would be appreciated.



Tags (1)
0 Karma



08-21-2022 11:04:29.282 -0400 WARN TcpOutputFd [20567 TcpOutEloop] - Connect to <IP>9997 failed. Network is unreachable
08-21-2022 11:04:29.282 -0400 ERROR TcpOutputFd [20567 TcpOutEloop] - Connection to host=<IP>:9997 failed

To send data over HEC, Do I need to have 9997 port listening on the Splunk cloud servers?


0 Karma


Disable your tcpout output. A UF can send to either a tcpout or httpout. You can't have both.

0 Karma



Do I need to disable tcpout in system/defaults as well?


0 Karma

0 Karma

For curiosity, what it the issue which you try to solve by using HEC instead of normal S2S protocol between UFs and SplunkCloud?
0 Karma



Also, We wanted to send data via Http and not TCP...

Splunk S2S helps on this?


0 Karma


We are collecting logs from many source using HEC in Splunk cloud.
We have a requirement to collect data using universal forwarder. So, we are testing universal forwarder to send data to Splunk cloud over HEC. Also, I need to test if data is sent  in compressed format.

If S2S works well for this scenario, Please provide me a guide on this. 

0 Karma

New Member

Please see the "Send data to HTTP Event Collector on Splunk Cloud Platform" section in the following documentation.


Are you using the correct URI format with prefix and endpoint? The standard form for the HEC URI in Splunk Cloud Platform is as follows:



One thing to point out is that if you are using httpout, there is no need for the Splunk forwarder app (100_splunkcloud) as that is for Splunk-to-Spunk (S2S) forwarding. Splunk UFs can do either tcpout or httpout, but not both.


1. .conf files should generally be within a custom-created app for the purpose such as: $SPLUNK_HOME/etc/apps/network_inputs/local.conf or $SPLUNK_HOME/etc/apps/base_configs/server.conf, but can be created within $SPLUNK_HOME/etc/system/local without issue to have the highest global precedence if desired. 

Here is some documentation on file precedence:


2. You are correct, _internal and _audit logs are collected by default in /etc/system/default/inputs.conf and will ingest into SplunkCloud once forwarding is configured. 


I also came across this blog post which may be helpful:



0 Karma



I have configured below URI for [httpout] in outputs.conf file

uri = https://http-inputs-<host>

Do I need to add <endpoint> as "/services/collector/_raw" in the uri?


0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...