I am trying to send alerts from an appliance to a Splunk (HF) forwarder.
I have the appliance sending to Splunk's Rest API and I can see data pushed to tcp.port 8089 on the forwarder, but the index and sourcetype are not predefined on the HF. Is there a way for to send the data to the API and pass the index and sourcetype in the Post statement?
If you want to send something from an appliance to a heavy forwarder, you might consider using the HTTP Event Collector (HEC) instead. HEC allows the data to include sourcetype, host and index - OR to let that default. If defaulted, the Splunk Admin can specify the index, etc. HEC works well with json data.
Using the HEC also means that the appliance does not need a Splunk username/password to connect. Instead it uses a token which is easy to control.
Here is the Introduction to the HTTP Event Collector.
Thank you for the reply.
I looked into the HEC with Fireeye before and we could not get it to work.
Do you know anyone who successfully setup a fireeye appliance NX, EX, or HX with HEC ?
make sure there is no network connectivity issues, its pretty neat and simple.
try from CLI - http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/UseHECfromtheCLI
how to set up - http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/UsetheHTTPEventCollector