hi all
new to Splunk and its ecosystem
I was asked to research it a bit and try to inject data in 2 ways: local file and using REST Api
I added local CSV file data to the Splunk Cloud from the "Add data --> Upload" option.
so far, so good.
now I'm trying to add some data using the HTTP Event Collector options.
I defined a new HOC and I have a valid token now.
now I got some questions:
1. How do I actually send the data using Postman or some other HTTP tool ? except for the token I don't even know what URL I should invoke.
2. In what format should I send data? I'm guessing JSON or CSV but I can't find any information about support types and schemas.
3. Is there some sort of full documentation of the API? LIKE, swagger style?
since this is only POC I need some help or examples to get me started
thanks
Amir
1. what is the <host> ? is it something unique to my account? how do I know what to use?
Yes, <host> is unique to your account. Get it from the URL you use to connect to your Splunk Cloud trial account. It will be <host>.splunkcloud.com.
2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?
Yes, the "http-inputs" part is required regardless of how you send the data.
3. since port 8088 is for the free trial - does that means that I should use HTTP?
The port number is independent of the protocol. Try them both and use the protocol that works for you.
4. is there a list of <endpoints> I can explore?
Yes. See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/HECRESTendpoints
There are good examples of HEC usage in the docs. Start with https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/UsetheHTTPEventCollector
@richgalloway thanks for the link.
from the link you shared:
The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
The standard form for the HEC URI in Splunk Cloud Platform is as follows:
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:
<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>
Where:
I'm guessing I should use the "Splunk Cloud Platform free trials" so the URL is:
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
1. what is the <host> ? is it something unique to my account? how do I know what to use?
Yes, <host> is unique to your account. Get it from the URL you use to connect to your Splunk Cloud trial account. It will be <host>.splunkcloud.com.
2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?
Yes, the "http-inputs" part is required regardless of how you send the data.
3. since port 8088 is for the free trial - does that means that I should use HTTP?
The port number is independent of the protocol. Try them both and use the protocol that works for you.
4. is there a list of <endpoints> I can explore?
Yes. See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/HECRESTendpoints