Getting Data In

Need help to send data Splunk Cloud using HEC

dardar
Engager

hi all
new to Splunk and its ecosystem
I was asked to research it a bit and try to inject data in 2 ways: local file and using REST Api

I added local CSV file data to the Splunk Cloud from the "Add data --> Upload" option.

so far, so good.

now I'm trying to add some data using the HTTP Event Collector options.

I defined a new HOC and I have a valid token now.

now I got some questions:
1. How do I  actually send the data using Postman or some other HTTP tool ? except for the token I don't even know what URL I should invoke.

2. In what format should I send data? I'm guessing JSON or CSV but I can't find any information about support types and schemas.

3. Is there some sort of full documentation of the API? LIKE, swagger style?

since this is only POC I need some help or examples to get me started

thanks

Amir

 

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

1. what is the <host> ? is it something unique to my account? how do I know what to use?

Yes, <host> is unique to your account.  Get it from the URL you use to connect to your Splunk Cloud trial account.  It will be <host>.splunkcloud.com.

2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?

Yes, the "http-inputs" part is required regardless of how you send the data.

3. since port 8088 is for the free trial - does that means that I should use HTTP?

The port number is independent of the protocol.  Try them both and use the protocol that works for you.

4. is there a list of <endpoints> I can explore?

Yes. See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/HECRESTendpoints

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There are good examples of HEC usage in the docs.  Start with https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/UsetheHTTPEventCollector

---
If this reply helps you, Karma would be appreciated.
0 Karma

dardar
Engager

@richgalloway thanks for the link.

from the link you shared:

The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
 

The standard form for the HEC URI in Splunk Cloud Platform is as follows:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
 

The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:

<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>
 

Where:

  • <protocol> is either http or https
  • You must add http-inputs- before the <host> on AWS.
  • You must add http-inputs. before the <host> on GCP.
  • <host> is the Splunk Cloud Platform instance that runs HEC
  • You must add the domain .splunkcloud.com after the <host>
  • <port> is the HEC port number
    • 8088 on Splunk Cloud Platform free trials
    • 443 by default on Splunk Cloud Platform instances
  • <endpoint> is the HEC endpoint you want to use. In many cases, you use the /services/collector/event endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw events

 

 

I'm guessing I should use the "Splunk Cloud Platform free trials" so the URL is:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>

1. what is the <host> ? is it something unique to my account? how do I know what to use?
2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?
3. since port 8088 is for the free trial - does that means that I should use HTTP?
4. is there a list of <endpoints> I can explore?

thanks for any help!
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

1. what is the <host> ? is it something unique to my account? how do I know what to use?

Yes, <host> is unique to your account.  Get it from the URL you use to connect to your Splunk Cloud trial account.  It will be <host>.splunkcloud.com.

2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?

Yes, the "http-inputs" part is required regardless of how you send the data.

3. since port 8088 is for the free trial - does that means that I should use HTTP?

The port number is independent of the protocol.  Try them both and use the protocol that works for you.

4. is there a list of <endpoints> I can explore?

Yes. See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/HECRESTendpoints

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...