Getting Data In

HEC with Splunk Cloud trial

philwild
Explorer

I am trying to send data to a Splunk Cloud free trial account.

Following the documentation here: https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/UsetheHTTPEventCollector

This is what I should use

You must send data using a specific URI for HEC.

The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:

<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>

But the domain name does not exist (the subdomain with http-inputs. part)

Is the documentation wrong? How do I get this working?

 

Labels (1)
0 Karma
1 Solution

philwild
Explorer

That kind of goes against the documentation then. 

I've done some investigating...

Looking at outputs.conf of the bundled forwarder app, there is a single host associated with the trial instance. I'm now assuming this "free-trial" service is just a cloud provisioned "pseudo" "Splunk Enterprise" instance.

I've also just confirmed that port 8088 is open on the stack address.

Based on that, I've just tested following the instructions for basic Splunk Enterprise and it works...

So the answer is... For Splunk Cloud trials as of 06 May 2022, use the Splunk Enterprise config, being

https://<stack>.splunkcloud.com:8088/services/collector/event

FYI: @jmeager_splunk 

View solution in original post

Tags (1)

isoutamo
SplunkTrust
SplunkTrust
0 Karma

philwild
Explorer

That kind of goes against the documentation then. 

I've done some investigating...

Looking at outputs.conf of the bundled forwarder app, there is a single host associated with the trial instance. I'm now assuming this "free-trial" service is just a cloud provisioned "pseudo" "Splunk Enterprise" instance.

I've also just confirmed that port 8088 is open on the stack address.

Based on that, I've just tested following the instructions for basic Splunk Enterprise and it works...

So the answer is... For Splunk Cloud trials as of 06 May 2022, use the Splunk Enterprise config, being

https://<stack>.splunkcloud.com:8088/services/collector/event

FYI: @jmeager_splunk 

Tags (1)

isoutamo
SplunkTrust
SplunkTrust
Thanx, it's good to know that this is currently possible if needed.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...