Dashboards & Visualizations

How to set up HTTP event collector in a search head cluster, and does the token need to be in a specific format?

athorat
Communicator

I do not see an option for http event collector in Splunk Web.
We have a search head cluster and an indexer cluster.
Should I create an app on the deployer and push the configuration to all search heads?
Also, another question is the token which needs to be generated. Does it have to be in any specific format or can any random token can work?

Thanks a ton.

0 Karma

marcellodesales
Path Finder

After I disabled SSL, it could connect... However, I'm getting the following:

$ curl -k  http://localhost:8088/services/collector/event -H "Authorization: Splunk 3C9B0C01-F531-46F1-9F49-C27347C6FE7C" -d '{"event": "hello world"}'
{"text":"Data channel is missing","code":10}

Did the format change? What's the new version?

marcellodesales
Path Finder

renjith_nair
Legend

HTTP event collector is another form of input in splunk and using inputs.conf in splunk.
Search head cluster does not allow data inputs from web and inputs.conf is not part of the replicating configuration file list. Information about SHC replication is available here HowconfrepoworksinSHC.

HEC can be configured in different ways depends on your infrastructure design and few of them are mentioned under HEC. If you would like to configure HEC on search heads, it's suggested to use deployer as mentioned in Propagate SHC configuratio nchanges.

Regarding the token, it's suggested to leave to splunk to create tokens for you and the only restriction mentioned in the documents is The token must be a GUID, and must be unique.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

athorat
Communicator

We have a 3 node Search Head Cluster, ver6.3
4 indexer cluster , ver6.3
2 heavy forwarder, ver6.1
Cluster Master , ver6.3
and a Deployer , ver6.3

We tried to create a token on the cluster master, as its a stand alone machine (and, ver6.3). Configured the outputs.conf.
Used the following command to generate a token

 /opt/splunk/bin/splunk http-event-collector create new-token "SOAHTTPPROD" -index np_dpa -uri "https://p01apl388.:8089"

When I run the following command I get an error: " curl: (56) Recv failure: Connection reset by peer"

curl -k http://p01apl388:8088/services/collector/event/ -H " Authorization: Splunk CA3DEC9C-B060-495A-BD6E-C7BB8CE7039D" -d '{"event": "hello world"}'

One shot indexes data from cluster master

./splunk add oneshot "/opt/splunk/testevent.log" -index np_dpa -sourcetype SOA:PROD:HTTPEVEN

nc -v p01apl388 8088 shows connection successful

Not sure whats the issue here.

Thanks a ton for looking into this @renjith.nair

0 Karma

tmuth_splunk
Splunk Employee
Splunk Employee

Is HEC configured for non-HTTPS ? Put differently, are you posting over HTTP to an HTTPS-only endpoint ?

0 Karma

athorat
Communicator

hi @tmuth_splunk can you please throw some light on what should I be checking?
Right now I am trying to send a test event using curl from the same host where HEC is configured to the indexers,

0 Karma

tmuth_splunk
Splunk Employee
Splunk Employee

Settings > Data Inputs > HTTP Event Collector > "Global Settings" button at top > "Enable SSL" checkbox (checked by default)

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...