Send Data to Splunk

Configure Edge Delta to stream logs, metrics, and events to Splunk using the Splunk HEC destination node.

  2 minute read  

Overview

The Splunk destination node sends items to a Splunk destination.

Configure Splunk

To set up a Splunk destination, you must:

  • Configure a HEC token in Splunk
  • Determine the correct HEC endpoint in Splunk

The process to set up a Splunk destination varies for Splunk Cloud and Splunk Enterprise users.

Step 1: Configure a HEC Token in Splunk

Option 1: Splunk Cloud To create a Splunk HTTP Event Collector (HEC) and token:

  1. In the Splunk Web UI, navigate to Settings, then click Add Data.
  2. Click Monitor, and then click HTTP Event Listener.
  3. In the field, enter a name for the HEC, and then click Next.
  4. Confirm the index information or use the default index, and then click Review.
  5. Click Submit.
  6. Copy the displayed token value. You can enter this information in the Token field in the Edge Delta App.

Option 2: Splunk Enterprise To ensure HTTP Event Collector (HEC) is enabled:

  1. In the Splunk Enterprise Web UI, navigate to Settings, then click Data Inputs.
  2. Click HTTP Event Collector.
  3. Click Global Settings.
  4. Enable the All Tokens toggle option.

To create a Splunk HTTP Event Collector (HEC) and token:

  1. In the Splunk Web UI, navigate to Settings, then click Add Data.
  2. Click Monitor, and then click HTTP Event Listener.
  3. In the field, enter a name for the HEC, and then click Next.
  4. Confirm the index information or use the default index, and then click Review.
  5. Click Submit.
  6. Copy the displayed token value. You use the token in the Edge Delta Pipeline configuration.

Step 2: Determine your HEC Endpoint

Before you continue, verify that you have the following information:

  • Splunk deployment type (Enterprise, Cloud, Free Trial, etc.)
  • Splunk hostname (from Splunk Browser URI)
  • Input Protocol (HTTPS is default)

Each endpoint can support either /raw or /event data. With /raw, the raw logs are sent in Edge Delta’s JSON format and Splunk parses the timestamp from the log. The sourcetype for the http endpoint should be set to Structures-> _json. With /event, Splunk’s JSON format is used with the timestamp in the JSON.

Configure Edge Delta

Next, you configure the Splunk destination node to forward data to the Splunk endpoint.