You would be much better off using the new HTTP Event Collector in the new versions of Splunk (6.3+). We never went beyond our Stage environment with this.
That said - here's the basic steps we used (not enough space for a detailed explanation):
User account that is writing to REST API must have "edit_tcp" permission. We created a new role for this and a new user account specifically for REST API access that uses this role.
NOTE: You should probably also check what other REST end points to which this permission grants access. The account will likely have the ability to change configuration if you do not set more restrictive permissions. We did not bother to test this - so that is just a guess.
HINT: Data must be send as HTTP POST data. if your data has quotes - best to put your data in a file for testing. Make your life much simpler.
Example of sending data using CURL:
curl -D - -k -u USERID --data @POST_DATA_FILE 'https://SERVERNAME_OR_IP:8089/services/receivers/simple?source=SOURCE&index=INDEXNAME&sourcetype=SOURCETYPE'
command breakdown
-D - (dump headers to STDOUT)
-k (insecure - allow connections to SSL sites without certs)
-u USERID
--data
'https:...' (URL to send to your Splunk instance)
https://:/services/receivers/simple (this is the endpoint for injection of events using simple receiver method)
source=SOURCE (give your event a source - I usually use Web or httpRest)
index=INDEX (your user MUST have access to this index or the post will fail and if you don't specify an index, you will inject into the default index.)
sourcetype=SOURCETYPE (some uniq sourcetype that has meaning to you and is not already in use - make searching for new events much simpler)
you will be prompted for the password in this example because I don't put it in the curl command
you should receive a 200 OK message if it was successful
any other response code means you have a problem.
If you see something like the following, it means the index (web_ops in this example output) is not valid or accessible to this user or via this Mgmt UI
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN">supplied index 'web_ops' missing</msg>
</messages>
</response>
Once injected - you can view the event using standard splunk search
... View more