Splunk Cloud Platform

Event collector: What is the correct format in my search?

danylan
Loves-to-Learn Lots

Hi 

I am following this documentation from GCP [1], which mentions to omit YOUR_SPLUNK_HEC_URL must not include the HEC endpoint path, for example, /services/collector

My question is more specifically related to this section [2], it mentions that format should be 

<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>

  • You must add http-inputs- before the <host>

which one would be the correct url, for eg

https://http-inputs.xxxx.splunkcloud.com:433

or

https://http-inputs-xxxx.splunkcloud.com:433

Send data to HTTP Event Collector on Splunk Cloud Platform 

[1]https://cloud.google.com/architecture/deploying-production-ready-log-exports-to-splunk-using-dataflo...

[2]https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Configure_HTTP_Eve...

Tags (3)
0 Karma

Roy_9
Motivator

hey @danylan

Please use the below format for streaming the logs via HEC.

https://http-inputs-hostname.splunkcloud.com

endpoint name would be services/collector/event or services/collector/raw.

Also the port name would be 443, i guess you made a typo to 433 below.


Thanks

0 Karma

danylan
Loves-to-Learn Lots

433 was a typo, thanks. After changing with the hyphen it is still complaining about the url formation

 

 

Url format should match PROTOCOL://HOST:PORT]

When following the Splunk docs does it matter if we are on Splunk Cloud Platform or Splunk Enterprise? From the docs it seems the format is a bit different.

0 Karma

Roy_9
Motivator

yes the format of the url changes on where you are sending the data either to splunk enterprise or splunk cloud.

Currently I am using splunk cloud and we curl from our sources using the below format.

 

curl -H "Authorization: Splunk <enter hec token>" https://http-inputs-stackname.splunkcloud.com/services/collector/event -d '{"sourcetype": "test", "index": "test", "event": {"message": "Hello world!"}}'

Hope this helps.

0 Karma

danylan
Loves-to-Learn Lots

@Roy_9 , ty for reply, i appreciate.

I am seeing something different

I am on splunk cloud not on enterprise my token is e6a0b67b-e6d0-418f-a2cd-4493804c7c92

 

I only get a success with the following

curl -k -H "Authorization: Splunk e6a0b67b-e6d0-418f-a2cd-4493804c7c92" https://prd-p-gap0o.splunkcloud.com:8088/services/collector/event -d '{"sourcetype": "test", "index": "test", "event": {"message": "Hello world!"}}'

#i added -k to allow insecure connection but it does recognize the uri

When i try with http-inputs- it fails

 

Note: I am on a trial account by the way.

0 Karma

Roy_9
Motivator

Ok @danylan got it, i remember there will be slight change in url for self service and managed service cloud, please have a look at the documentation.

Not sure about the below error, may be you need to open a fw connection from your machine to https://http-inputs-hostname.splunkcloud.com

If it is resolved, please accept the solution and appreciate you giving karma point.

Thanks

 

0 Karma

somesoni2
Revered Legend

I believe it's with hyphen (see "where:" section in https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_...) where it says "

  • You must add http-inputs- before the <host>"

.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...