Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Cloud HEC Endpoint Help

dchapman
Explorer
2 weeks ago

Hello,

I am having issues configuring the HTTP Event Collector on my organizations Splunk cloud instance. I have set up a token, and have been trying to test using the example curl commands. However, I am having issues discerning which endpoint is the correct one. I have tested out several endpoint formats:

- https://<org>.splunkcloud.com:8088/services/collector

- https://<org>.splunkcloud.com:8088/services/collector/event

- https://http-inputs-<org>.splunkcloud.com:8088/services/collector...

- several other that I have forgotten. 

For context, I do receive a response when I get from https://<org>.splunkcloud.com/services/server/info

From what I understand, you cannot change the port from 8088 on a cloud instance, so I do not think it is a port error. 

Can anyone point me to any resources that would be able to help me determine the correct endpoint?
(Not this: Set up and use HTTP Event Collector in Splunk Web - Splunk Documentation. I've browsed for hours trying to find a more comprehensive resource.)

 

Thank you!

 

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

It would help if you told us a little about the issues you having rather than just saying you have issues.

We also need to know which platform you use (AWS or GCP) and if it is a trial or paid account.  Those answers are used at https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_E... to determine the correct endpoint.  It could indeed be a port error.

The URL from which you got a response is a REST API endpoint, not a HEC endpoint.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dchapman
Explorer
2 weeks ago

Thank you for your response.

 

Yes, I know it is not an HEC endpoint. That detail was included to illustrate that it is not a cURL syntax error. It is a paid account, and the instance is hosted by splunk.


I am mostly getting

curl: (28) Failed to connect to <org>.splunkcloud.com port 8088 after 21053ms: could not connect to server

 

Just to clarify the purpose of this. I am writing a script to ingest data from another of our services over http. 

Thank you for your help.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

Nit: the instance is *managed* by Splunk, but it is *hosted* by either AWS or GCP.  Contact your Splunk admin if you don't know which host you have.

If you're not on a trial account then the port number will be 443.

Make sure the computer you are connecting from is on your Splunk Cloud Allowed IP List.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dchapman
Explorer
2 weeks ago

Hosted by AWS. Yes, port 443 works.

Reply

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago

Hi

here are the endpoints which you must use. Select the correct one based on your SCP instance type.

Configure HTTP Event Collector on Splunk Enterprise

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...