Re: What is the correct URL to set up HTTP Event C...

JosIJntema · ‎01-16-2017

Hi there,

Perhaps a beginner question, but I am not sure what URL I have to call to send my event data. I know the URL for localhost and I get this, but now when I tried the Splunk Cloud version, I am unable to find the correct URL.

Thanks !

Best regards,
Jos

tdepuy · ‎07-18-2017

So I was able to open a support case through another department in our organization and the support rep pointed me here:
http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/AdddatausingHTTPeventcollector#Add_data_...

So the url format is:

input-prd-p-XXXXX.cloud.splunk.com:8088/services/collector

Note the input prefix and the 8088 port. That worked for me and the support rep did not state anything needed to be enabled.
I hope that helps.

Also, if you are getting a connection refused, make sure the HTTP Event Collector is enabled in Global Settings (Data Inputs >> HTTP Event Collector > Global Settings > Enable).

Edit: Sorry for the spam. I was getting a 500 error and didn't realize the posts were going through!
Double Edit: Added note for Global Settings

jonh1 · ‎08-12-2020

I just created a cloud instance today and none of the suggested URLs work for HEC. Is it something new now?

lguinn2 · ‎01-16-2017

If you are using Splunk Cloud, you will have to work with the Cloud support team to set up HTTP event collection.

If you are using Splunk Enterprise, you enable HTTP event collection on a particular port. Your URL should be
https://yourServerAddress:yourChosenPort

You might want to read the HTTP Event Collector Walk-through

tdepuy · ‎07-13-2017

Ditto here? I have no support contract so how does one contact support?

vemulasplunk · ‎09-04-2019

have you resolved the issue?

tdepuy · ‎09-04-2019

I signed up for a new account a couple of months ago and I didn't have a problem enabling the HEC per the docs above. As noted in my answer the url will be the url of your Splunk hostname prefixed with input- and suffixed by :8088. For example, if your Splunk url is

https://prd-p-cqzf26jjxqbp.cloud.splunk.com

Then, your target url is::

https://input-prd-p-cqzf26jjxqbp.cloud.splunk.com:8088/services/collector/event

vemulasplunk · ‎09-07-2019

I tried same on Splunk cloud but its not working for me.

hardikJsheth · ‎07-13-2017

Even I tried to adding HEC token and enabling it from global settings. I was able to update global settings and save it but it didn't allow update to HEC port which was set to default 8088. When I tried to send http post the request timed out and even nc command failed for 8088. It looks like we need to get this port enabled via cloud support. Which means we can't do it on trial version.

JosIJntema · ‎01-16-2017

Hi,

I have a free trial version of Splunk Light. I can add HTTP Event Collectors within the UI. However, I cannot file a support ticket, because I have the free version.

What do you suggest?

vemulasplunk · ‎09-04-2019

same issue here, any help?

jdinunzio · ‎05-23-2017

@iguinn: Except that according to https://www.splunk.com/content/splunkcom/en_us/support-and-services/support-programs.html community users, the ones who are trying the product have no access to support.

So, could someone please confirm if during the free trial is imoossible to use HTTP Event Collector, because seting it up requires "to work with the Cloud support team"?

What is the correct URL to set up HTTP Event Collector on Spunk Cloud?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?