Send events with Splunk HEC

You can send events to Imply Lumi using the Splunk® HTTP event collector (HEC). Push events to the HEC endpoint in Lumi using your application of choice to send HTTP requests. This integration is also compatible with the OpenTelemetry (OTel) collector.

The following diagram shows a high-level overview of the HEC integration:

To learn how to use the HEC integration with the OTel collector, see How to send events with the OTel collector.

This topic provides details on configuring event forwarding using HEC.

Prerequisites

To send events to Lumi using HEC, you need the following:

Access to Lumi with the Data manager role or higher. For information on roles and permissions, see Manage roles.
Lumi IAM key. See Create an IAM key for details.
Port 443 open for outbound TCP traffic on the machine forwarding the events.

Set HEC attributes

The IAM key authenticates requests to Lumi. It also enriches incoming events with the system attributes for environment and team. When you send events with Splunk HEC, you can assign HEC attributes on the IAM key. Lumi stores these values as user attributes on the events.

This section describes IAM key attributes you can configure for the HEC integration.

Note that user attributes derived from raw events and upstream agents take precedence over any attributes you set on IAM keys in Lumi. For more information, see Attributes on an IAM key.

Source

Default value for the origin of the events sent to Lumi.

Example: http:demo-key

If you don't provide a value, Lumi doesn't store the attribute.

info

The Lumi UI populates the Source field with http:IAM_KEY_NAME, where IAM_KEY_NAME is the name of your IAM key. This follows the default source name assignment in Splunk—http:TOKEN_NAME. Note that HEC token names are unique in Splunk, but IAM key names aren't unique in Lumi.

Source type

Default value for the type of event data.

Example: sourcetype:access_combined

If you don't provide a value, Lumi stores the value httpevent.

Default index

Default value for the index attribute.

If you don't provide a value, Lumi stores the value of the server default index. For example, main.

info

The index is stored as a user attribute on the event, not as the event's repository. For examples, see Lumi concepts for Splunk users.

Allowed indexes

Comma-separated list of allowed values for the index field.

Note that Lumi doesn't store a user attribute for this setting.

Indexer acknowledgment

Select the toggle for Indexer acknowledgment to use the data protocol for HEC indexer acknowledgment. When selected, Lumi expects HEC requests to contain a channel ID and returns an acknowledgment ID in the response. This acknowledgment indicates receipt of the event and doesn't confirm event ingestion.

Note that Lumi doesn't store a user attribute for this setting.

Configure event forwarding

This section describes how to configure event forwarding to Lumi with the HEC integration. You can send events using any application that supports sending HTTP requests. The examples demonstrate how to use the OTel collector, which is suitable for production-level scenarios, and the command-line tool curl to quickly test a connection to Lumi.

To configure event forwarding, complete the following steps:

From the Lumi navigation menu, click Integrations > Splunk HEC.
Select or create an IAM key.
Assign or confirm the HEC attributes on the key.
For the application sending the requests, add details from the Lumi integration.

The following sections provide detailed instructions for example applications. To use the examples, replace the variables with your own values:

IAM_KEY_TOKEN: IAM key token provided by Lumi.
For example, 229a2561-0000-0000-0000-bc433de16f89
LUMI_ENDPOINT: Lumi endpoint.
For example, https://splunk-hec.api.lumi.imply.io/services/collector

Example with OTel collector

The Splunk OTel collector is a distribution of the OTel collector with additional features specific to Splunk. If you already use the collector to send events to Splunk using HEC, you can also use the splunk_hec exporter to send events to Lumi. For an end-to-end tutorial, see Send events with the OTel collector.

The OTel collector configuration involves creating an exporter and enabling it in the pipelines service.

In the configuration for your OTel collector, add a section in exporters with exporter type splunk_hec:
```
exporters:
  <any existing exporters>
    ...
  splunk_hec/logs_lumi:
    token: "IAM_KEY_TOKEN"
    endpoint: "LUMI_ENDPOINT"
```
The name of an OTel collector exporter follows the format TYPE/NAME, where the name uniquely identifies the component. The example uses the logs_lumi name, but you can customize it to your preference.

Enable the exporter by listing it in service.pipelines.logs.exporters:

service:
  ...
  pipelines:
    logs:
      receivers: ...
      processors: ...
      exporters: [..., splunk_hec/logs_lumi]

The following example shows the relevant stanzas of a Splunk OTel collector configuration:

...

exporters:
  <any existing exporters>
    ...
  splunk_hec/logs_lumi:
    token: "229a2561-0000-0000-0000-bc433de16f89"
    endpoint: "https://splunk-hec.api.lumi.imply.io/services/collector"

...

service:
  ...
  pipelines:
    logs:
      receivers: ...
      processors: ...
      exporters: [..., splunk_hec/logs_lumi]

Example with curl

You can use curl to send a test event to Lumi. This command-line tool is suitable for quick tests and simple API calls.

The following code block shows an example HTTP POST request for curl. Only the event field is required. Run the following command to send an event called test-event, enriched with the HEC attributes source and sourcetype.

curl -X POST \
     -H "Content-Type: application/json" \
     -H "Authorization: Splunk IAM_KEY_TOKEN" \
     -d '{ "event": "test-event", "source": "curl", "sourcetype": "test" }' \
  LUMI_ENDPOINT

You can add user attributes to the event by including them in fields. The following example shows how to send an event with the user attributes key1 and key2.

curl -X POST \
     -H "Content-Type: application/json" \
     -H "Authorization: Splunk 229a2561-0000-0000-0000-bc433de16f89" \
     -d '{ "event": "Demo log", "fields": {"key1": "value1", "key2": ["value2", "value3"]}, "index": "demo", "source": "curl", "sourcetype": "manual" }' \
  https://splunk-hec.us1.api.lumi.imply.io/services/collector

Check Lumi for events

Once you configure event forwarding and send events, you can preview the incoming data in Lumi:

From the Lumi navigation menu, click Integrations > Splunk HEC.
In the Select or create an IAM key pane, select your key.
In the Preview incoming data pane, you'll see the events coming in to Lumi. For example:

Lumi automatically refreshes the preview pane to display the latest events. If you don't see any incoming data, check the details in your curl request or OTel config file.
Click Explore events to see more events associated with the IAM key. The explore view populates the search bar with your IAM key ID and the receiver type. For example:
```
#iamKeyId=229a2561-0000-0000-0000-bc433de16f89 #receiver=splunk.hec
```
Adjust the time filter to choose the range of data displayed.

Once events start flowing into Lumi, you can search them. See Search events with Lumi for details and information on supported search syntax.

Learn more

See the following topics for more information:

Send events with the OTel collector for a tutorial on using the OTel collector.
Send events to Lumi for other options to send events.
IAM keys reference for details on IAM keys.

Prerequisites​

Set HEC attributes​

Source​

Source type​

Default index​

Allowed indexes​

Indexer acknowledgment​

Configure event forwarding​

Example with OTel collector​

Example with curl​

Check Lumi for events​

Learn more​