Configuring Splunk HEC

You can perform most common configuration tasks on Splunk Web. Splunk Web runs by default on port of the host on which it is installed.
  • If you're running Splunk on your local machine, the URL to access Splunk Web is http://localhost:.
  • If you're running Splunk on a remote machine, the URL to access Splunk Web is http://<hostname>:, where <hostname> is the name of the machine Splunk is running on.

Administration menus can be found under Settings in the Splunk Web menu bar. Most tasks in the Splunk documentation set are described for Splunk Web.

Create an HTTP Event Collector token on Splunk Enterprise

To use Spunk HEC, you must configure at least one token.

  1. Log into Splunk with valid credentials.
  2. Click Settings > Data inputs.
  3. Click HTTP Event Collector.
  4. Click New Token.
    The New Token Page is displayed.
  5. In the Name field, enter a name for the token.
  6. (Optional) In the Source name override field, enter a source name for events that this input generates.
  7. (Optional) In the Description field, enter a description for the input.
  8. (Optional) In the Output Group field, select an existing forwarder output group.
  9. (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
  10. Click Next.
  11. (Optional) Confirm the source type and the index for HEC events.
  12. Click Review.
  13. Confirm that all settings for the endpoint are what you want.
  14. If all settings are what you want, click Submit. Otherwise, click < to make changes.

    Token has been created successfully is displayed with token value.

  15. (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.
  16. The HTTPS Event controller token is created and displayed in the list.
  17. Click Global Settings and check all the parameters. Also note the HTTP Port Number.
  18. There is an additional validation of uploading the certificate required for Custom CA Certificate as Validate Certificate type, so create the certificate for validation from the HTTP Event Collector URL.
    Note: Certificate has to be downloaded/Exported in the .pem format only for validation.
  19. Log type and severity after creating a role and audit log can be found in Splunk by using a text search like the one below.