Splunk HTTP Event Collector (HEC) Source

Use Observability Pipelines’ Splunk HTTP Event Collector (HEC) source to receive logs from your Splunk HEC. Select and set up this source when you set up a pipeline.

Prerequisites

To use Observability Pipelines’s Splunk HTTP Event Collector (HEC) source, you have applications sending data to Splunk in the expected HEC format.

To use Observability Pipelines’s Splunk HEC destination, you have a Splunk Enterprise or Cloud instance configured with an HTTP Event Collector (HEC) input. You also have the following information available:

  • The Splunk HEC token.
  • The bind address that your Observability Pipelines Worker will listen on to receive logs from your applications. For example, 0.0.0.0:8080. Later on, you configure your applications to send logs to this address.
  • The base URL of the Splunk instance that the Worker will send processed logs to. This URL should include the port that is globally configured for Splunk HTTP Event Collectors on your Splunk instance. For example, for Splunk Cloud: https://prd-p-0mupp.splunkcloud.com:8088.
  • If your HECs are globally configured to enable SSL, then you also need the appropriate TLS certificates and password you used to create your private key file.

See Configure HTTP Event Collector on Splunk Web for more information about setting up Splunk HEC.

Note: Observability Pipelines does not support HEC Indexer Acknowledgement.

Set up the source in the pipeline UI

Select and set up this source when you set up a pipeline. The information below is for the source settings in the pipeline UI.

Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required:

  • Server Certificate Path: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
  • CA Certificate Path: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
  • Private Key Path: The path to the .key private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.

Send logs to the Observability Pipelines Worker over Splunk HEC

After you install the Observability Pipelines Worker and deploy the configuration, the Worker exposes three HTTP endpoints that uses the Splunk HEC API:

  • /services/collector/event
  • /services/collector/raw
  • /services/collector/health

To send logs to your Splunk index, you must point your existing logs upstream to the Worker.

curl http://<OPW_HOST>:8088/services/collector/event \
	-d '{"event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'

<OPW_HOST> is the IP/URL of the host (or load balancer) associated with the Observability Pipelines Worker. For CloudFormation installs, the LoadBalancerDNS CloudFormation output has the correct URL to use. For Kubernetes installs, the internal DNS record of the Observability Pipelines Worker service can be used, for example opw-observability-pipelines-worker.default.svc.cluster.local.

At this point, your logs should be going to the Worker, processed by the pipeline, and delivered to the configured destination.