Splunk Enterprise

Help on basic questions concerning HEC?

jip31
Motivator

Hi

I have read all the HEC Splunk documentations but there is some things that are not clear for me

I know the process to create a new token

  1. Log on your Splunk server.
  2. Go to Settings > Data Inputs > HTTP Event Collector > Global Settings.
  3. Edit the Global Settings. Click the Enabled button for the All Tokens option. ...
  4. Go to Settings > Data Inputs.
  5. Click +Add New in the HTTP Event Collector row to create a new HEC token.

    So except if I am mistaken a new stanza is created in the inputs.conf file of the Heavy Forwarder?

    If yes, do we also have to update the output.conf file on the Heavy Forwarder to route the events to the indexers.

    Is there any other configurations to do?

    I have also understood how to test our HTTP Event Collector with the curl commandcurl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://mysplunkserver.example.com:8088/services/collector/event -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}'In this example does https://mysplunkserver.example.com:8088 correspond to he HEC endpoint?

    What I also do not understand is when the HEC cinguration works, how the events are automatically sent to the Splunk platform. Is there a scheduled task to do this?

    Finally, if somebody has interestiong tutorials on HEC topics (except tutorials Splunk), I will be very interested in

    Thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

1) The license usage is counted based on amount of _raw data written to indexes regardless of whatever inputs it's getting ingested from. So it doesn't matter if it's UF's monitor input, HF's HEC or a modular input - it's still getting counted based on how much data (_raw data, mind you) it ingests.

2) In some scenarios - yes but often the source is not able to define the metadata so you're distinguishing sources by the token. So techincally - yes but in practical situation I wouldn't recommend it except some very specific cases.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The new stanza of the inputs.conf file is created on the instance where you are signed in. If that's the HF then the HEC input will be on the HF.

There is no need to change outputs.conf because the HF already knows (because it's a forwarder) how to send events to the indexers. HEC has no bearing on how forwarders send data to indexers or how outputs.conf is configured.

HEC events are sent from HF to indexer exactly the same way any other events are sent - via a SplunkTCP connection from the HF to port 9997 (or other port if so configured) on the indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

So if I am signed on UF, it means there will be an inputs.conf file too but also an output.conf file?

Thanks

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Unless something changed recently and I missed it, UF has no gui so you can't be logged in to it 😉 And you can't define HEC input on UF.

But in general - inputs and outputs are two different things. You define an input to ingest data (monitor files, listen on HEC or syslog and so on), the ingested data gets through splunk internal queues then gets written to disk (if it's an indexer) and/or sent to defined outputs.

0 Karma

jip31
Motivator

thanks

2 last question

1) could you confirm me that the volume of data ingested with HEC are taken into account in the license volume manager like the volume of data ingested with the UF?

2) is it possible to use the same token for different HEC sources?

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1) The license usage is counted based on amount of _raw data written to indexes regardless of whatever inputs it's getting ingested from. So it doesn't matter if it's UF's monitor input, HF's HEC or a modular input - it's still getting counted based on how much data (_raw data, mind you) it ingests.

2) In some scenarios - yes but often the source is not able to define the metadata so you're distinguishing sources by the token. So techincally - yes but in practical situation I wouldn't recommend it except some very specific cases.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...