このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Use Observability Pipelines’ Splunk HTTP Event Collector (HEC) source to receive logs from your Splunk HEC. Select and set up this source when you set up a pipeline.

Prerequisites

To use Observability Pipelines’s Splunk HTTP Event Collector (HEC) source, you have applications sending data to Splunk in the expected HEC format.

To use Observability Pipelines’s Splunk HEC destination, you have a Splunk Enterprise or Cloud instance configured with an HTTP Event Collector (HEC) input. You also have the following information available:

  • The Splunk HEC token.
  • The bind address that your Observability Pipelines Worker will listen on to receive logs from your applications. For example, 0.0.0.0:8080. Later on, you configure your applications to send logs to this address.
  • The base URL of the Splunk instance that the Worker will send processed logs to. This URL should include the port that is globally configured for Splunk HTTP Event Collectors on your Splunk instance. For example, for Splunk Cloud: https://prd-p-0mupp.splunkcloud.com:8088.
  • If your HECs are globally configured to enable SSL, then you also need the appropriate TLS certificates and password you used to create your private key file.

See Configure HTTP Event Collector on Splunk Web for more information about setting up Splunk HEC.

Note: Observability Pipelines does not support HEC Indexer Acknowledgement.

Set up the source in the pipeline UI

Select and set up this source when you set up a pipeline. The information below is for the source settings in the pipeline UI.

オプションで、スイッチを切り替えて TLS を有効にできます。TLS を有効にする場合は、以下の証明書と鍵ファイルが必要です。

  • Server Certificate Path: DER または PEM (X.509) 形式の認証局 (CA) ルートファイルにより署名された証明書ファイルへのパス。
  • CA Certificate Path: DER または PEM (X.509) 形式の認証局 (CA) ルートファイルである証明書ファイルへのパス。
  • Private Key Path: DER または PEM (PKCS#8) 形式のサーバー証明書パスに属する .key 秘密鍵ファイルへのパス

Send logs to the Observability Pipelines Worker over Splunk HEC

After you install the Observability Pipelines Worker and deploy the configuration, the Worker exposes three HTTP endpoints that uses the Splunk HEC API:

  • /services/collector/event
  • /services/collector/raw
  • /services/collector/health

To send logs to your Splunk index, you must point your existing logs upstream to the Worker.

curl http://<OPW_HOST>:8088/services/collector/event \
	-d '{"event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'

<OPW_HOST> is the IP/URL of the host (or load balancer) associated with the Observability Pipelines Worker. For CloudFormation installs, the LoadBalancerDNS CloudFormation output has the correct URL to use. For Kubernetes installs, the internal DNS record of the Observability Pipelines Worker service can be used, for example opw-observability-pipelines-worker.default.svc.cluster.local.

At this point, your logs should be going to the Worker, processed by the pipeline, and delivered to the configured destination.