Splunk Cloud Platform

Splunk Cloud HEC Endpoint Help

dchapman
Explorer

Hello,

I am having issues configuring the HTTP Event Collector on my organizations Splunk cloud instance. I have set up a token, and have been trying to test using the example curl commands. However, I am having issues discerning which endpoint is the correct one. I have tested out several endpoint formats:

- https://<org>.splunkcloud.com:8088/services/collector

- https://<org>.splunkcloud.com:8088/services/collector/event

- https://http-inputs-<org>.splunkcloud.com:8088/services/collector...

- several other that I have forgotten. 

For context, I do receive a response when I get from https://<org>.splunkcloud.com/services/server/info

From what I understand, you cannot change the port from 8088 on a cloud instance, so I do not think it is a port error. 

Can anyone point me to any resources that would be able to help me determine the correct endpoint?
(Not this: Set up and use HTTP Event Collector in Splunk Web - Splunk Documentation. I've browsed for hours trying to find a more comprehensive resource.)

 

Thank you!

 

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would help if you told us a little about the issues you having rather than just saying you have issues.

We also need to know which platform you use (AWS or GCP) and if it is a trial or paid account.  Those answers are used at https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_E... to determine the correct endpoint.  It could indeed be a port error.

The URL from which you got a response is a REST API endpoint, not a HEC endpoint.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dchapman
Explorer

Thank you for your response.

 

Yes, I know it is not an HEC endpoint. That detail was included to illustrate that it is not a cURL syntax error. It is a paid account, and the instance is hosted by splunk.


I am mostly getting

curl: (28) Failed to connect to <org>.splunkcloud.com port 8088 after 21053ms: could not connect to server

 

Just to clarify the purpose of this. I am writing a script to ingest data from another of our services over http. 

Thank you for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Nit: the instance is *managed* by Splunk, but it is *hosted* by either AWS or GCP.  Contact your Splunk admin if you don't know which host you have.

If you're not on a trial account then the port number will be 443.

Make sure the computer you are connecting from is on your Splunk Cloud Allowed IP List.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dchapman
Explorer

Hosted by AWS. Yes, port 443 works.

isoutamo
SplunkTrust
SplunkTrust

Hi

here are the endpoints which you must use. Select the correct one based on your SCP instance type.

Configure HTTP Event Collector on Splunk Enterprise

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...