Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help to send data Splunk Cloud using HEC

dardar
Engager
‎04-03-2023 08:10 AM

hi all
new to Splunk and its ecosystem
I was asked to research it a bit and try to inject data in 2 ways: local file and using REST Api

I added local CSV file data to the Splunk Cloud from the "Add data --> Upload" option.

so far, so good.

now I'm trying to add some data using the HTTP Event Collector options.

I defined a new HOC and I have a valid token now.

now I got some questions:
1. How do I  actually send the data using Postman or some other HTTP tool ? except for the token I don't even know what URL I should invoke.

2. In what format should I send data? I'm guessing JSON or CSV but I can't find any information about support types and schemas.

3. Is there some sort of full documentation of the API? LIKE, swagger style?

since this is only POC I need some help or examples to get me started

thanks

Amir

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2023 05:38 AM
1. what is the <host> ? is it something unique to my account? how do I know what to use?

Yes, <host> is unique to your account.  Get it from the URL you use to connect to your Splunk Cloud trial account.  It will be <host>.splunkcloud.com.

2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?

Yes, the "http-inputs" part is required regardless of how you send the data.

3. since port 8088 is for the free trial - does that means that I should use HTTP?

The port number is independent of the protocol.  Try them both and use the protocol that works for you.

4. is there a list of <endpoints> I can explore?

Yes. See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/HECRESTendpoints

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2023 08:46 AM

There are good examples of HEC usage in the docs.  Start with https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/UsetheHTTPEventCollector

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dardar
Engager
‎04-04-2023 12:10 AM

@richgalloway thanks for the link.

from the link you shared:

The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
 

The standard form for the HEC URI in Splunk Cloud Platform is as follows:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
 

The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:

<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>
 

Where:

  • <protocol> is either http or https
  • You must add http-inputs- before the <host> on AWS.
  • You must add http-inputs. before the <host> on GCP.
  • <host> is the Splunk Cloud Platform instance that runs HEC
  • You must add the domain .splunkcloud.com after the <host>
  • <port> is the HEC port number
    • 8088 on Splunk Cloud Platform free trials
    • 443 by default on Splunk Cloud Platform instances
  • <endpoint> is the HEC endpoint you want to use. In many cases, you use the /services/collector/event endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw events

 

 

I'm guessing I should use the "Splunk Cloud Platform free trials" so the URL is:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>

1. what is the <host> ? is it something unique to my account? how do I know what to use?
2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?
3. since port 8088 is for the free trial - does that means that I should use HTTP?
4. is there a list of <endpoints> I can explore?

thanks for any help!
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2023 05:38 AM
1. what is the <host> ? is it something unique to my account? how do I know what to use?

Yes, <host> is unique to your account.  Get it from the URL you use to connect to your Splunk Cloud trial account.  It will be <host>.splunkcloud.com.

2. if I'm sending data from a Postman client \ local application (running from my computer) do I need the "http-inputs" part of the URL?

Yes, the "http-inputs" part is required regardless of how you send the data.

3. since port 8088 is for the free trial - does that means that I should use HTTP?

The port number is independent of the protocol.  Try them both and use the protocol that works for you.

4. is there a list of <endpoints> I can explore?

Yes. See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Data/HECRESTendpoints

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top