Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on basic questions concerning HEC?

jip31
Motivator
‎12-03-2022 10:34 PM

Hi

I have read all the HEC Splunk documentations but there is some things that are not clear for me

I know the process to create a new token

  1. Log on your Splunk server.
  2. Go to Settings > Data Inputs > HTTP Event Collector > Global Settings.
  3. Edit the Global Settings. Click the Enabled button for the All Tokens option. ...
  4. Go to Settings > Data Inputs.
  5. Click +Add New in the HTTP Event Collector row to create a new HEC token.

    So except if I am mistaken a new stanza is created in the inputs.conf file of the Heavy Forwarder?

    If yes, do we also have to update the output.conf file on the Heavy Forwarder to route the events to the indexers.

    Is there any other configurations to do?

    I have also understood how to test our HTTP Event Collector with the curl commandcurl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://mysplunkserver.example.com:8088/services/collector/event -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}'In this example does https://mysplunkserver.example.com:8088 correspond to he HEC endpoint?

    What I also do not understand is when the HEC cinguration works, how the events are automatically sent to the Splunk platform. Is there a scheduled task to do this?

    Finally, if somebody has interestiong tutorials on HEC topics (except tutorials Splunk), I will be very interested in

    Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-17-2022 06:53 AM

1) The license usage is counted based on amount of _raw data written to indexes regardless of whatever inputs it's getting ingested from. So it doesn't matter if it's UF's monitor input, HF's HEC or a modular input - it's still getting counted based on how much data (_raw data, mind you) it ingests.

2) In some scenarios - yes but often the source is not able to define the metadata so you're distinguishing sources by the token. So techincally - yes but in practical situation I wouldn't recommend it except some very specific cases.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2022 07:02 AM

The new stanza of the inputs.conf file is created on the instance where you are signed in. If that's the HF then the HEC input will be on the HF.

There is no need to change outputs.conf because the HF already knows (because it's a forwarder) how to send events to the indexers. HEC has no bearing on how forwarders send data to indexers or how outputs.conf is configured.

HEC events are sent from HF to indexer exactly the same way any other events are sent - via a SplunkTCP connection from the HF to port 9997 (or other port if so configured) on the indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎12-04-2022 09:57 PM

So if I am signed on UF, it means there will be an inputs.conf file too but also an output.conf file?

Thanks

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-04-2022 11:06 PM

Unless something changed recently and I missed it, UF has no gui so you can't be logged in to it 😉 And you can't define HEC input on UF.

But in general - inputs and outputs are two different things. You define an input to ingest data (monitor files, listen on HEC or syslog and so on), the ingested data gets through splunk internal queues then gets written to disk (if it's an indexer) and/or sent to defined outputs.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎12-12-2022 06:04 AM

thanks

2 last question

1) could you confirm me that the volume of data ingested with HEC are taken into account in the license volume manager like the volume of data ingested with the UF?

2) is it possible to use the same token for different HEC sources?

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-17-2022 06:53 AM

1) The license usage is counted based on amount of _raw data written to indexes regardless of whatever inputs it's getting ingested from. So it doesn't matter if it's UF's monitor input, HF's HEC or a modular input - it's still getting counted based on how much data (_raw data, mind you) it ingests.

2) In some scenarios - yes but often the source is not able to define the metadata so you're distinguishing sources by the token. So techincally - yes but in practical situation I wouldn't recommend it except some very specific cases.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...