Getting Data In

Need help to send data Splunk Cloud using HEC

dardar
Engager

hi all
new to Splunk and its ecosystem
I was asked to research it a bit and try to inject data in 2 ways: local file and using REST Api

I added local CSV file data to the Splunk Cloud from the "Add data --> Upload" option.

so far, so good.

now I'm trying to add some data using the HTTP Event Collector options.

I defined a new HOC and I have a valid token now.

now I got some questions:
1. How do I  actually send the data using Postman or some other HTTP tool ? except for the token I don't even know what URL I should invoke.

2. In what format should I send data? I'm guessing JSON or CSV but I can't find any information about support types and schemas.

3. Is there some sort of full documentation of the API? LIKE, swagger style?

since this is only POC I need some help or examples to get me started

thanks

Amir

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

1. what is the <host> ? is it something unique to my account? how do I know what to use?

Yes, <host> is unique to your account.  Get it from the URL you use to connect to your Splunk Cloud trial account.  It will be <host>.splunkcloud.com.

2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?

Yes, the "http-inputs" part is required regardless of how you send the data.

3. since port 8088 is for the free trial - does that means that I should use HTTP?

The port number is independent of the protocol.  Try them both and use the protocol that works for you.

4. is there a list of <endpoints> I can explore?

Yes. See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/HECRESTendpoints

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There are good examples of HEC usage in the docs.  Start with https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/UsetheHTTPEventCollector

---
If this reply helps you, Karma would be appreciated.
0 Karma

dardar
Engager

@richgalloway thanks for the link.

from the link you shared:

The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
 

The standard form for the HEC URI in Splunk Cloud Platform is as follows:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
 

The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:

<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>
 

Where:

  • <protocol> is either http or https
  • You must add http-inputs- before the <host> on AWS.
  • You must add http-inputs. before the <host> on GCP.
  • <host> is the Splunk Cloud Platform instance that runs HEC
  • You must add the domain .splunkcloud.com after the <host>
  • <port> is the HEC port number
    • 8088 on Splunk Cloud Platform free trials
    • 443 by default on Splunk Cloud Platform instances
  • <endpoint> is the HEC endpoint you want to use. In many cases, you use the /services/collector/event endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw events

 

 

I'm guessing I should use the "Splunk Cloud Platform free trials" so the URL is:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>

1. what is the <host> ? is it something unique to my account? how do I know what to use?
2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?
3. since port 8088 is for the free trial - does that means that I should use HTTP?
4. is there a list of <endpoints> I can explore?

thanks for any help!
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

1. what is the <host> ? is it something unique to my account? how do I know what to use?

Yes, <host> is unique to your account.  Get it from the URL you use to connect to your Splunk Cloud trial account.  It will be <host>.splunkcloud.com.

2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?

Yes, the "http-inputs" part is required regardless of how you send the data.

3. since port 8088 is for the free trial - does that means that I should use HTTP?

The port number is independent of the protocol.  Try them both and use the protocol that works for you.

4. is there a list of <endpoints> I can explore?

Yes. See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/HECRESTendpoints

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...