Splunk HTTP Event Collector Source

Use Edge Delta to ingest log data from Splunk’s HTTP Event Collector with the Splunk HEC source node.

  7 minute read  

Overview

This source node is used to ingest log data from Splunk’s HTTP Event Collector. The Splunk HEC source listens on the following endpoints:

  • JSON Events: <host>:<port>/services/collector/event - For structured JSON event data
  • Raw Data: <host>:<port>/services/collector/raw - For raw text data

Example Configuration

nodes:
  - name: my_hec_input
    type: splunk_hec_input
    port: 8088
    read_timeout: 30s

Splunk Output Configuration

To configure Splunk to send data to the Edge Delta HEC input, add the following to your Splunk outputs.conf:

[httpout]
httpEventCollectorToken = 1234abcd-67ef-89gh-1234-567890ijkl
uri = http://localhost:3421/services/collector/event
batchSize = 32768
batchTimeout = 10

Replace:

  • httpEventCollectorToken with your desired token (omit this line if Edge Delta doesn’t enforce authentication)
  • localhost:3421 with your Edge Delta HEC input host and port
  • Use /services/collector/event for JSON events or /services/collector/raw for raw data

Required Parameters

name

A descriptive name for the node. This is the name that will appear in pipeline builder and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: splunk_hec_input

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

read_timeout

The read_timeout parameter is used to specify how long to wait for incoming data. Default value is 0 which means no time out. It is specified as a duration and it is required.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s

Optional Parameters

listen

The listen parameter is used to specify the address to listen to for incoming traffic. It is specified as a string and it is optional.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    listen: <host>

port

Enter the port number that the splunk_hec_input type node should listen on. It is specified as an integer and is a required parameter.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    port: <port number>

source_metadata

The source_metadata parameter is used to define which detected resources and attributes to add to each data item as it is ingested by the Edge Delta agent. In the GUI you can select:

  • Required Only: This option includes the minimum required resources and attributes for Edge Delta to operate.
  • Default: This option includes the required resources and attributes plus those selected by Edge Delta
  • High: This option includes the required resources and attributes along with a larger selection of common optional fields.
  • Custom: With this option selected, you can choose which attributes and resources to include. The required fields are selected by default and can’t be unchecked.

Based on your selection in the GUI, the source_metadata YAML is populated as two dictionaries (resource_attributes and attributes) with Boolean values.

See Choose Data Item Metadata for more information on selecting metadata.

tls

The tls parameter is a dictionary type that enables a number of options to be set using sub-parameters.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      <tls options>:

ca_file

The ca_file parameter is a child of the tls parameter. It specifies the CA certificate file. It is specified as a string and is optional.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      ca_file: /certs/ca.pem

ca_path

The ca_path parameter is a child of the tls parameter. It specifies the location of the CA certificate files. It is specified as a string and is optional.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      ca_path: /var/etc/kafka

client_auth_type

The client_auth_type parameter is a child of the tls parameter. It specifies the authentication type to use for the connection. It is specified as a string from a closed list and is optional.

The following authentication methods are available:

  • noclientcert indicates that no client certificate should be requested during the handshake, and if any certificates are sent they will not be verified.
  • requestclientcert indicates that a client certificate should be requested during the handshake, but does not require that the client send any certificates.
  • requireanyclientcert indicates that a client certificate should be requested during the handshake, and that at least one certificate is required from the client, but that certificate is not required to be valid.
  • verifyclientcertifgiven indicates that a client certificate should be requested during the handshake, but does not require that the client sends a certificate. If the client does send a certificate it is required to be valid.
  • requireandverifyclientcert indicates that a client certificate should be requested during the handshake, and that at least one valid certificate is required to be sent by the client
nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      client_auth_type: <auth type>

crt_file

The crt_file parameter is a child of the tls parameter. It specifies the certificate file. It is specified as a string and is optional.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      crt_file: /certs/server-cert.pem

ignore_certificate_check

The ignore_certificate_check parameter is a child of the tls parameter. When set to true, it ignores certificate checks for the remote endpoint. It is specified as a Boolean value and the default is false, indicating that TLS verification will be performed. This is an optional parameter.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      ignore_certificate_check: true

key_file

The key_file parameter is a child of the tls parameter. It specifies the key file. It is specified as a string and is optional.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      key_file: /certs/server-key.pem

key_password

The key_password parameter is a child of the tls parameter. It specifies the key password. When the private key_file location is provided, this file can also be provided to get the password of the private key. It is specified as a string and is optional.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      key_password: <password>

attributes_from_header

Minimum Agent Version: v2.5.0

The attributes_from_header parameter allows you to extract specific HTTP headers from incoming Splunk HEC requests and store them as attributes on the received data items. This is useful for capturing metadata such as authentication tokens, client identifiers, or custom headers. It is specified as an array of header names and is an optional advanced parameter.

When a Splunk HEC request includes an Authorization: Splunk <token> header and Authorization is included in this list, the token value will be stored in resource.splunk_token on the data item, which can then be used by the Splunk output node.

nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    attributes_from_header:
      - Authorization
      - X-Splunk-Request-Channel
      - X-Custom-Header

Example Use Case: This feature enables token passthrough scenarios where the Splunk HEC input captures the original Splunk token from incoming requests, and the Splunk output node can use that same token when forwarding data to Splunk, maintaining authentication context throughout the pipeline.

max_version

The max_version parameter is a child of the tls parameter. It specifies the maximum version of TLS to accept. It is specified as a string and is optional.

You can select one of the following options:

  • TLSv1_0
  • TLSv1_1
  • TLSv1_2
  • TLSv1_3
nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      max_version: <TLS version>

min_version

The min_version parameter is a child of the tls parameter. It specifies the minimum version of TLS to accept. It is specified as a string and is optional. The default is TLSv1_2.

You can select one of the following options:

  • TLSv1_0
  • TLSv1_1
  • TLSv1_2
  • TLSv1_3
nodes:
  - name: <node name>
    type: splunk_hec_input
    read_timeout: 10s
    tls:
      min_version: <TLS version>

Testing the Endpoint

You can test your Edge Delta HEC endpoint using curl:

# For JSON events
curl "http://localhost:3421/services/collector/event" \
  -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
  -d '{"event": "Hello, world!", "sourcetype": "manual"}'

# For raw data
curl "http://localhost:3421/services/collector/raw" \
  -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
  -d 'Raw log message'