Getting Data In

Is it possible to configure HTTP Event Collector in a custom app?

Engager

Is it possible to configure HTTP Event Collector in a custom app, that is to say, not in the splunk_httpinput application?
I think I won't be able to create new tokens with CLI, since it's using splunk_httpinput by default ...

0 Karma
1 Solution

Champion

Yes you can by just including an inputs.conf. I currently do this with an app called hec_all_hf containing the following:

[http]
disabled = 0
index = main
sourcetype = generic_single_line
port = 8088

With other app per env/datacenter. Such as hec_dc1 using the following:

[http://availabiltyTest]
disabled = 0
index = main
indexes = main
source = healthcheck
token = DAD09EFD-29AA-4E9A-90CE-9808ACDE
sourcetype = remote
sourcetypeSelection = Manual

View solution in original post

Champion

Yes you can by just including an inputs.conf. I currently do this with an app called hec_all_hf containing the following:

[http]
disabled = 0
index = main
sourcetype = generic_single_line
port = 8088

With other app per env/datacenter. Such as hec_dc1 using the following:

[http://availabiltyTest]
disabled = 0
index = main
indexes = main
source = healthcheck
token = DAD09EFD-29AA-4E9A-90CE-9808ACDE
sourcetype = remote
sourcetypeSelection = Manual

View solution in original post

Communicator

I am in the process of working on a standard way to create new HEC tokens, and have them automatically configured on all Heavy Forwarders (I use a Deployment Server and, like you, my own custom app for Heavy Forwarder configs.)

So if I understand you correctly, you generate new tokens (disabled) on your deployment server using the web UI, and then you are copying the new stanza from inputs.conf in the splunk_httpinput app to your custom app and then enabling them there?

That is what I was thinking of doing, and was looking around to see if anyone else was doing this or had any other options when I came across this.

My only other option so far is to keep using the splunk_httpinput app, have it configured and deployed via the Deployment Server, but in this case the tokens would then also be enabled on the Deployment Server - which probably doesn't matter but Id rather not have it set up this way. I already have a Deployment Server in place, so can not set it up on one of the Heavy Forwarders as Splunk documentation recommends.

0 Karma

Champion

Typically you never want to manage built in app such as splunk_httpinput, launcher, search. The reason being is that if you remove any of those apps from a ServerClass stanza will complete remove it from the deployment client. In my case I have multiple sets of HECs through out my environments.

An alternative is to programmatically create tokens via the api and move them to the appropriate app.

0 Karma

Engager

Thank you.
How do you build new tokens ? I mean, is it a random string that you can build yourself, or are you using UI on a splunk sandbox to generate it ?

0 Karma

Champion

I generate them on my deployment server or on my local machine.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!