Dashboards & Visualizations

How to set up HTTP event collector in a search head cluster, and does the token need to be in a specific format?

athorat
Communicator

I do not see an option for http event collector in Splunk Web.
We have a search head cluster and an indexer cluster.
Should I create an app on the deployer and push the configuration to all search heads?
Also, another question is the token which needs to be generated. Does it have to be in any specific format or can any random token can work?

Thanks a ton.

0 Karma

marcellodesales
Path Finder

After I disabled SSL, it could connect... However, I'm getting the following:

$ curl -k  http://localhost:8088/services/collector/event -H "Authorization: Splunk 3C9B0C01-F531-46F1-9F49-C27347C6FE7C" -d '{"event": "hello world"}'
{"text":"Data channel is missing","code":10}

Did the format change? What's the new version?

marcellodesales
Path Finder

renjith_nair
SplunkTrust
SplunkTrust

HTTP event collector is another form of input in splunk and using inputs.conf in splunk.
Search head cluster does not allow data inputs from web and inputs.conf is not part of the replicating configuration file list. Information about SHC replication is available here HowconfrepoworksinSHC.

HEC can be configured in different ways depends on your infrastructure design and few of them are mentioned under HEC. If you would like to configure HEC on search heads, it's suggested to use deployer as mentioned in Propagate SHC configuratio nchanges.

Regarding the token, it's suggested to leave to splunk to create tokens for you and the only restriction mentioned in the documents is The token must be a GUID, and must be unique.

Happy Splunking!
0 Karma

athorat
Communicator

We have a 3 node Search Head Cluster, ver6.3
4 indexer cluster , ver6.3
2 heavy forwarder, ver6.1
Cluster Master , ver6.3
and a Deployer , ver6.3

We tried to create a token on the cluster master, as its a stand alone machine (and, ver6.3). Configured the outputs.conf.
Used the following command to generate a token

 /opt/splunk/bin/splunk http-event-collector create new-token "SOAHTTPPROD" -index np_dpa -uri "https://p01apl388.:8089"

When I run the following command I get an error: " curl: (56) Recv failure: Connection reset by peer"

curl -k http://p01apl388:8088/services/collector/event/ -H " Authorization: Splunk CA3DEC9C-B060-495A-BD6E-C7BB8CE7039D" -d '{"event": "hello world"}'

One shot indexes data from cluster master

./splunk add oneshot "/opt/splunk/testevent.log" -index np_dpa -sourcetype SOA:PROD:HTTPEVEN

nc -v p01apl388 8088 shows connection successful

Not sure whats the issue here.

Thanks a ton for looking into this @renjith.nair

0 Karma

tmuth_splunk
Splunk Employee
Splunk Employee

Is HEC configured for non-HTTPS ? Put differently, are you posting over HTTP to an HTTPS-only endpoint ?

0 Karma

athorat
Communicator

hi @tmuth_splunk can you please throw some light on what should I be checking?
Right now I am trying to send a test event using curl from the same host where HEC is configured to the indexers,

0 Karma

tmuth_splunk
Splunk Employee
Splunk Employee

Settings > Data Inputs > HTTP Event Collector > "Global Settings" button at top > "Enable SSL" checkbox (checked by default)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...