There are many tutorials about this, and Splunk Documentation. You need a Splunk Enterprise/Cloud (any instance, the instance, if not an Indexer, must obviously have an outputs.conf to the Indexer[s]). You can create it in WebIf (Settings/Data inputs/HTTP Event Collector) with the wizard or in shell, inputs.conf must contain something like [http://TestTOKEN] index = your_choosen_default_index indexes = your_wanted_available_indexes token = your_token (something like f6823587-1222-4cf0-ad8a-324b6def6d8d) disabled = 0 Events, then, can be posted as described in the thread with a POST with personal token Authentication.
... View more