Getting Data In

Is it possible to configure HTTP Event Collector in a custom app?

laberthelemy
Engager

Is it possible to configure HTTP Event Collector in a custom app, that is to say, not in the splunk_httpinput application?
I think I won't be able to create new tokens with CLI, since it's using splunk_httpinput by default ...

0 Karma
1 Solution

bmacias84
Champion

Yes you can by just including an inputs.conf. I currently do this with an app called hec_all_hf containing the following:

[http]
disabled = 0
index = main
sourcetype = generic_single_line
port = 8088

With other app per env/datacenter. Such as hec_dc1 using the following:

[http://availabiltyTest]
disabled = 0
index = main
indexes = main
source = healthcheck
token = DAD09EFD-29AA-4E9A-90CE-9808ACDE
sourcetype = remote
sourcetypeSelection = Manual

View solution in original post

bmacias84
Champion

Yes you can by just including an inputs.conf. I currently do this with an app called hec_all_hf containing the following:

[http]
disabled = 0
index = main
sourcetype = generic_single_line
port = 8088

With other app per env/datacenter. Such as hec_dc1 using the following:

[http://availabiltyTest]
disabled = 0
index = main
indexes = main
source = healthcheck
token = DAD09EFD-29AA-4E9A-90CE-9808ACDE
sourcetype = remote
sourcetypeSelection = Manual

View solution in original post

gn694
Communicator

I am in the process of working on a standard way to create new HEC tokens, and have them automatically configured on all Heavy Forwarders (I use a Deployment Server and, like you, my own custom app for Heavy Forwarder configs.)

So if I understand you correctly, you generate new tokens (disabled) on your deployment server using the web UI, and then you are copying the new stanza from inputs.conf in the splunk_httpinput app to your custom app and then enabling them there?

That is what I was thinking of doing, and was looking around to see if anyone else was doing this or had any other options when I came across this.

My only other option so far is to keep using the splunk_httpinput app, have it configured and deployed via the Deployment Server, but in this case the tokens would then also be enabled on the Deployment Server - which probably doesn't matter but Id rather not have it set up this way. I already have a Deployment Server in place, so can not set it up on one of the Heavy Forwarders as Splunk documentation recommends.

0 Karma

bmacias84
Champion

Typically you never want to manage built in app such as splunk_httpinput, launcher, search. The reason being is that if you remove any of those apps from a ServerClass stanza will complete remove it from the deployment client. In my case I have multiple sets of HECs through out my environments.

An alternative is to programmatically create tokens via the api and move them to the appropriate app.

0 Karma

laberthelemy
Engager

Thank you.
How do you build new tokens ? I mean, is it a random string that you can build yourself, or are you using UI on a splunk sandbox to generate it ?

0 Karma

bmacias84
Champion

I generate them on my deployment server or on my local machine.

0 Karma