Splunk Cloud Platform

Event collector: What is the correct format in my search?

Loves-to-Learn Lots


I am following this documentation from GCP [1], which mentions to omit YOUR_SPLUNK_HEC_URL must not include the HEC endpoint path, for example, /services/collector

My question is more specifically related to this section [2], it mentions that format should be 


  • You must add http-inputs- before the <host>

which one would be the correct url, for eg




Send data to HTTP Event Collector on Splunk Cloud Platform 



Tags (3)
0 Karma


hey @danylan

Please use the below format for streaming the logs via HEC.


endpoint name would be services/collector/event or services/collector/raw.

Also the port name would be 443, i guess you made a typo to 433 below.


0 Karma

Loves-to-Learn Lots

433 was a typo, thanks. After changing with the hyphen it is still complaining about the url formation



Url format should match PROTOCOL://HOST:PORT]

When following the Splunk docs does it matter if we are on Splunk Cloud Platform or Splunk Enterprise? From the docs it seems the format is a bit different.

0 Karma


yes the format of the url changes on where you are sending the data either to splunk enterprise or splunk cloud.

Currently I am using splunk cloud and we curl from our sources using the below format.


curl -H "Authorization: Splunk <enter hec token>" https://http-inputs-stackname.splunkcloud.com/services/collector/event -d '{"sourcetype": "test", "index": "test", "event": {"message": "Hello world!"}}'

Hope this helps.

0 Karma

Loves-to-Learn Lots

@Roy_9 , ty for reply, i appreciate.

I am seeing something different

I am on splunk cloud not on enterprise my token is e6a0b67b-e6d0-418f-a2cd-4493804c7c92


I only get a success with the following

curl -k -H "Authorization: Splunk e6a0b67b-e6d0-418f-a2cd-4493804c7c92" https://prd-p-gap0o.splunkcloud.com:8088/services/collector/event -d '{"sourcetype": "test", "index": "test", "event": {"message": "Hello world!"}}'

#i added -k to allow insecure connection but it does recognize the uri

When i try with http-inputs- it fails


Note: I am on a trial account by the way.

0 Karma


Ok @danylan got it, i remember there will be slight change in url for self service and managed service cloud, please have a look at the documentation.

Not sure about the below error, may be you need to open a fw connection from your machine to https://http-inputs-hostname.splunkcloud.com

If it is resolved, please accept the solution and appreciate you giving karma point.



0 Karma

Revered Legend

I believe it's with hyphen (see "where:" section in https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_...) where it says "

  • You must add http-inputs- before the <host>"


0 Karma
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...