Send event data to Splunk directly via HTTP or HTTPS.
Efficiently ingest data into Splunk without the need for intermediary files or complex configurations.
The benefits of Splunk HEC
-
Efficiency: Reduces latency in data ingestion.
-
Ease of Integration: Uses standard protocols and is compatible with a wide variety of programming languages.
-
Security: Allows secure transmission of sensitive data.
Key features
Splunk HEC is a powerful tool for real-time data ingestion, especially useful in environments where data speed and security are critical.
Real-Time Data Ingestion: sends data in real-time directly to Splunk from applications, services, and devices.
HTTP/HTTPS Protocol: Uses HTTP and HTTPS protocols, making it easy to integrate a plethora of data sources.
No Intermediate Files Needed: Eliminates the need for intermediary log files, reducing latency and simplifying the data ingestion process.
Security: Offers authentication and encryption via HTTPS, ensuring data protection.
Scalability: Handles large volumes of event data, making it suitable for enterprise applications and production environments.
Flexible Configuration: Configures different tokens for various data sources-
Using Splunk Tokens
After logging in to your Splunk Cloud instance using your Splunk account credentials, go to the Splunk Cloud dashboard.
Select Settings and find the list of Tokens. Copy it to your clipboard to start using it in your Sink.
Use the token or script to authenticate requests to your Splunk Cloud instance. Typically, the token is sent in the authorization header of HTTP requests.
Using a docker
Below are step-by-step instructions on using a Splunk HEC docker and a comprehensive list of the commands required.
docker pull splunk/splunk:latest
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=Organizational Unit/CN=CA"
[req] distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_ca # The extensions to add to the self signed cert prompt = no [alt_names] IP.1 = your_local_ip DNS.1 = localhost DNS.2 = host.docker.internal [req_distinguished_name] C = US ST = State L = City O = Organization OU = Organizational Unit CN = localhost [req_ext] subjectAltName = @alt_names [v3_ca] subjectAltName = @alt_names [alt_names] DNS.1 = localhost
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -config openssl.cnf
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extensions req_ext -extfile openssl.cnf
cat server.crt server.key > server.pem
mkdir -p ~/splunk/etc/auth cp server.pem ~/splunk/etc/auth/server.pem cp server.key ~/splunk/etc/auth/server.key cp ca.crt ~/splunk/etc/auth/cacert.pem
[sslConfig] enableSplunkdSSL = true serverCert = /opt/splunk/etc/auth/server.pem sslPassword = your_ssl_password [sslSettings] sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
[settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/server.key serverCert = /opt/splunk/etc/auth/server.pem
docker run -d \ -e SPLUNK_START_ARGS='--accept-license' \ -e SPLUNK_PASSWORD='your_splunk_password' \ -v ~/splunk/etc:/opt/splunk/etc \ -v ~/splunk/var:/opt/splunk/var \ -p 8000:8000 \ -p 8089:8089 \ --name splunk splunk/splunk:latest
Related resources