Skip to content

Splunk's HTTP Event Collector client library.

License

Notifications You must be signed in to change notification settings

greenpau/gosplunk

Repository files navigation

Go Report Card Build Status Hex.pm

Golang Client Libraries for Splunk

HTTP Event Collector Client Library

Splunk's HTTP Event Collector (HEC) is an endpoint allowing sending messages to Splunk via RESTful API using HTTP/S transport. The endpoint identifies its clients based on a token the clients' provide. A Splunk administrator configures tokens under "Add Data", "HTTP Event Collector". Once configured, the administrator provides the token to a client application.

By default, the HTTP Event Collector receives data over HTTPS on TCP port 8088.

If necessary, enable HEC tokens by running the following command on the server:

curl -k -X "POST" -u admin:password https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http/http/enable

Getting Started

If necessary, create HEC token:

HTTP Event Collector Tokens

The "Input Settings" for the HEC are:

  • Source Type: Automatic
  • App context: Search & Reporting
  • Index: main

HTTP Event Collector Token Configuration

Prior to connecting to HEC, check its availability:

echo -n | openssl s_client -showcerts -connect splunk:8088

The expected result would look like this:

CONNECTED(00000003)
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=SplunkServerDefaultCert/O=SplunkUser
    i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/[email protected]

Next, create a configuration file at ~/.splunk.hec.yaml with the following contents:

---
collector:
  host: 'splunk'
  port: 8088
  token: '61876693-4758-4f45-bca7-c910ccc746eb'

Then, compile and run this example:

make
bin/http-event-collector-client

The expected output follows. Here, the client sends a message, plus two event fields: foo and bar:

$ bin/http-event-collector-client
DEBU[0000] splunk-http-collector-client: proto=https
DEBU[0000] splunk-http-collector-client: host=splunk
DEBU[0000] splunk-http-collector-client: port=8088
DEBU[0000] splunk-http-collector-client: token=61876693-4758-4f45-bca7-c910ccc746eb
DEBU[0000] splunk-http-collector-client: timeout=5
DEBU[0000] splunk-http-collector-client: endpoint.health=https://splunk:8088/services/collector/health
DEBU[0000] splunk-http-collector-client: endpoint.event=https://splunk:8088/services/collector/event
DEBU[0000] splunk-http-collector-client: endpoint.raw=https://splunk:8088/services/collector/raw
DEBU[0000] splunk-http-collector-client: url=https://splunk:8088/services/collector/health
DEBU[0000] splunk-http-collector-client: status=200 OK
DEBU[0000] splunk-http-collector-client: HEC is available and accepting input
DEBU[0000] splunk-http-collector-client: code=17, text=HEC is healthy
DEBU[0000] message="{ test message on 2018-08-07 09:42:03.651128622 -0400 EDT m=+0.067162200" map[foo:bar bar:foo]     0}"
DEBU[0000] splunk-http-collector-client: url=https://splunk:8088/services/collector/event
DEBU[0000] splunk-http-collector-client: status=200 OK
DEBU[0000] splunk-http-collector-client: code=0, text=Success

Once successful, the Splunk would have the following indexed event:

HTTP Event Collector Indexed Event

References

About

Splunk's HTTP Event Collector client library.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published