Getting Data In

Is it possible to configure HTTP Event Collector in a custom app?

laberthelemy
Engager

Is it possible to configure HTTP Event Collector in a custom app, that is to say, not in the splunk_httpinput application?
I think I won't be able to create new tokens with CLI, since it's using splunk_httpinput by default ...

0 Karma
1 Solution

bmacias84
Champion

Yes you can by just including an inputs.conf. I currently do this with an app called hec_all_hf containing the following:

[http]
disabled = 0
index = main
sourcetype = generic_single_line
port = 8088

With other app per env/datacenter. Such as hec_dc1 using the following:

[http://availabiltyTest]
disabled = 0
index = main
indexes = main
source = healthcheck
token = DAD09EFD-29AA-4E9A-90CE-9808ACDE
sourcetype = remote
sourcetypeSelection = Manual

View solution in original post

bmacias84
Champion

Yes you can by just including an inputs.conf. I currently do this with an app called hec_all_hf containing the following:

[http]
disabled = 0
index = main
sourcetype = generic_single_line
port = 8088

With other app per env/datacenter. Such as hec_dc1 using the following:

[http://availabiltyTest]
disabled = 0
index = main
indexes = main
source = healthcheck
token = DAD09EFD-29AA-4E9A-90CE-9808ACDE
sourcetype = remote
sourcetypeSelection = Manual

gn694
Communicator

I am in the process of working on a standard way to create new HEC tokens, and have them automatically configured on all Heavy Forwarders (I use a Deployment Server and, like you, my own custom app for Heavy Forwarder configs.)

So if I understand you correctly, you generate new tokens (disabled) on your deployment server using the web UI, and then you are copying the new stanza from inputs.conf in the splunk_httpinput app to your custom app and then enabling them there?

That is what I was thinking of doing, and was looking around to see if anyone else was doing this or had any other options when I came across this.

My only other option so far is to keep using the splunk_httpinput app, have it configured and deployed via the Deployment Server, but in this case the tokens would then also be enabled on the Deployment Server - which probably doesn't matter but Id rather not have it set up this way. I already have a Deployment Server in place, so can not set it up on one of the Heavy Forwarders as Splunk documentation recommends.

0 Karma

bmacias84
Champion

Typically you never want to manage built in app such as splunk_httpinput, launcher, search. The reason being is that if you remove any of those apps from a ServerClass stanza will complete remove it from the deployment client. In my case I have multiple sets of HECs through out my environments.

An alternative is to programmatically create tokens via the api and move them to the appropriate app.

0 Karma

laberthelemy
Engager

Thank you.
How do you build new tokens ? I mean, is it a random string that you can build yourself, or are you using UI on a splunk sandbox to generate it ?

0 Karma

bmacias84
Champion

I generate them on my deployment server or on my local machine.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...