Splunk HEC and iOS/HomeKit Shortcuts

A number of years ago the PM for HEC happen to sit behind me at a conf keynote. Glenn leaned forward and said you’re going to love this. He was right, I fell in love with HEC right away. 

Few months later I was giving him grief about where the HEC example code was for Python because the RaspberryPi universal forward was not getting love at the time. He replied it’s just JSON and Post just write it. So I did and made a HEC python class a number of folks still use. (GitHub - georgestarcher/Splunk-Class-httpevent: Python class to submit events to Splunk HTTP Event C...)

Recently, I was messing with a lot of iOS shortcuts (https://support.apple.com/guide/shortcuts/welcome/ios) automating things on my phone and my home. I wondered what if I posted JSON to the SplunkTrust (https://www.splunk.com/en_us/community/splunk-trust.html ) SpunkCloud instance. Could I do it easily and natively within shortcuts?

The short answer is YES!

You need to remember HEC was made by devs for devs. So you need only to decide a good JSON (Dictionary) payload that meets the HEC Events endpoint formatting. We bother with the raw endpoint because the Dictionary object is a native shortcuts thing.

1. You will need a valid HEC receiver setup which is beyond the scope of this post.
2. The HEC receiver will have to be reachable from the Internet such as SplunkCloud.
3. You will need to have a valid HEC token and know the index. Here we just use main.
4. You will have to look at the attached screen shots. I am not typing out every tap and step here. Shortcuts are visually self explanatory.

IOS Shortcuts:

Shortcuts have more power on iOS vs on HomeKit. So first we will cover the easy way on iOS.

First you will want to make a new shortcut to act at your HEC Sender. This is so you can set it up once but run it from other shortcuts that have a well formed JSON event to send. Think python class/code reuse.

1. We receive text from input to the shortcut. This is what we receive when this shortcut is called by “Run Shortcut” 
2. We store that in a variable “Hec Payload”
3. We next store the Full URL to the Hec Events endpoint and the Hec Token in variables
4. The finally trick is doing the POST action of the payload to the HEC receiver using the “Get contents of HTTP” Action. Note in the attached screen shot we change the action to post, set the header and use type of File for the JSON payload.

Next let’s setup a shortcut that sends the data we want. 

Here we make one to get the device name, other device information and log the battery level at the time.

The key is making the Dictionary object for the HEC event payload.  Here is a drill down of that section.

Last we automate the running of the data shortcut whenever we plug our device into power.

To show it works like a champ:

HomeKit:

Now let’s say you want to log an event from a light coming on. HomeKit can execute some limited shortcut actions. These get executed on whatever your HomeKit hub turns out to be hence the limitation Such as an AppleTV 4K or HomePod. The limitation for us is there is no Run Shortcut action. 

This means you have to make the JSON payload (dictionary) object and the HTTP action together in each automation. No easy setup the HEC send and call it as needed

In this example we simply log when my mantle hue bulb comes on. This could be anything HomeKit can trigger off of such as a button press, motion, temperature etc. I won’t expand it all as they work the same way as our previous example. This just shows you have to build the payload and post action inside each HomeKit automation action.

What is next?

Well you can automate HEC post of any data that an iOS or HomeKit shortcut can see. Use your imagination for data that is of value to you.