Query string authentication can be enabled on a per-token basis. On the Splunk server, edit the file at $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf . Tokens are listed by name in this file, in the form http://<token_name> . Within the stanza for each token that needs to enable query string authentication, add the following setting (or change the existing setting, if applicable): allowQueryStringAuth = true Save and close the inputs.conf file and restart Splunk service to reload configuration. For Splunk Cloud, you must open a Splunk Support ticket to set allowQueryStringAuth to true. Support for a toggle in Splunk Web for this setting is planned for a future release. HEC token can then be specified as a query string in the URL in the format: ?token=<hec_token> For example: curl -k "https://my-splunk-hec.example.com:8088/services/collector/raw?token=91dfd4e5-da4f-4861-89dd-dcdec19067fb&channel=8cf7407d-fa98-4d97-9b7b-5f5902aa7744&sourcetype=mydata" -d '1, 2, 3... Hello, world!'
... View more