Send events with Splunk HEC
AI summary
About AI summaries.
You can send events to Imply Lumi using the Splunk® HTTP event collector (HEC). Push events to the HEC endpoint in Lumi using your application of choice to send HTTP requests. This integration is also compatible with the OpenTelemetry (OTel) collector.
The following diagram shows a high-level overview of the HEC integration:
To learn how to use the HEC integration with the OTel collector, see How to send events with the OTel collector.
This topic provides details on configuring event forwarding using HEC.
Prerequisites
Before you send events to Lumi using HEC, you need the following:
-
Access to Lumi with the Data manager role or higher. For information on roles and permissions, see Manage roles.
-
Port 443 open for outbound TCP traffic on the machine forwarding the events.
Configure event forwarding
This section describes how to configure event forwarding to Lumi with the HEC integration. You can send events using any application that supports sending HTTP requests.
To configure event forwarding, complete the following steps:
-
From the Lumi navigation menu, click Integrations > Splunk HEC.
-
Select or create an IAM key.
The IAM key authenticates requests to Lumi. It also enriches incoming events with the system attributes for environment and team. You can assign HEC attributes on the IAM key to enrich incoming events.
The IAM key token has the same format as a Splunk HEC token and is compatible with Splunk authentication.
-
Assign or confirm the HEC attributes on the key.
-
For the application sending the requests, add the Lumi configuration.
HEC attributes
HEC attributes are optional settings on an IAM key that configure HEC forwarding and user attributes for Splunk fields.
For the fields source, sourcetype, and index, the HEC attributes store default values to assign to the user attributes.
Note that any values set by the forwarding agent or a pipeline take precedence over the default values.
For details on user attribute assignment, see Event model.
For the list of HEC attributes, see IAM key attribute reference.
The HEC attributes also apply to the S2S integration httpout. If you use the same key for httpout, ensure that your settings are suitable for both integrations.
Examples
The following sections provide examples for configuring an OTel collector, which is suitable for production-level scenarios, and the command-line tool curl to quickly test a connection to Lumi.
To use the examples, replace the variables with your own values:
IAM_KEY_TOKEN: IAM key token provided by Lumi.
For example,229a2561-0000-0000-0000-bc433de16f89LUMI_ENDPOINT: Lumi endpoint.
For example,https://splunk-hec.api.lumi.imply.io/services/collector
Example with OTel collector
The Splunk OTel collector is a distribution of the OTel collector with additional features specific to Splunk.
If you already use the collector to send events to Splunk using HEC, you can also use the splunk_hec
exporter
to send events to Lumi.
For an end-to-end tutorial, see Send events with the OTel collector.
The OTel collector configuration involves creating an exporter and enabling it in the pipelines service.
-
In the configuration for your OTel collector, add a section in
exporterswith exporter typesplunk_hec:exporters:
<any existing exporters>
...
splunk_hec/logs_lumi:
token: "IAM_KEY_TOKEN"
endpoint: "LUMI_ENDPOINT"The name of an OTel collector exporter follows the format
TYPE/NAME, where the name uniquely identifies the component. The example uses thelogs_luminame, but you can customize it to your preference. -
Enable the exporter by listing it in
service.pipelines.logs.exporters:service:
...
pipelines:
logs:
receivers: ...
processors: ...
exporters: [..., splunk_hec/logs_lumi]
The following example shows the relevant stanzas of a Splunk OTel collector configuration:
...
exporters:
<any existing exporters>
...
splunk_hec/logs_lumi:
token: "229a2561-0000-0000-0000-bc433de16f89"
endpoint: "https://splunk-hec.api.lumi.imply.io/services/collector"
...
service:
...
pipelines:
logs:
receivers: ...
processors: ...
exporters: [..., splunk_hec/logs_lumi]
Example with curl
You can use curl to send a test event to Lumi. This command-line tool is suitable for quick tests and simple API calls.
The following code block shows an example HTTP POST request for curl.
Only the event field is required.
Run the following command to send an event called test-event, enriched with the HEC attributes source and sourcetype.
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Splunk IAM_KEY_TOKEN" \
-d '{"event": "test-event", "source": "curl", "sourcetype": "test"}' \
LUMI_ENDPOINT
You can add user attributes to the event by including them in fields.
The following example shows how to send an event with the user attributes key1 and key2.
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Splunk 229a2561-0000-0000-0000-bc433de16f89" \
-d '{"event": "Demo log", "fields": {"key1": "value1", "key2": ["value2", "value3"]}, "index": "demo", "source": "curl", "sourcetype": "manual"}' \
https://splunk-hec.us1.api.lumi.imply.io/services/collector
You can batch multiple events in a single request by concatenating the JSON payloads. For example:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Splunk 229a2561-0000-0000-0000-bc433de16f89" \
-d '{"event":"Demo log 1","fields":{"key1":"value1"}}{"event":"Demo log 2","fields":{"key2":"value2"}}' \
https://splunk-hec.us1.api.lumi.imply.io/services/collector
Check Lumi for events
Once you configure event forwarding and send events, you can preview the incoming data in Lumi:
-
From the Lumi navigation menu, click Integrations > Splunk HEC.
-
In the Select or create an IAM key pane, select your key.
-
In the Preview incoming data pane, you'll see the events coming in to Lumi. For example:
Lumi automatically refreshes the preview pane to display the latest events. If you don't see any incoming data, check the details in your curl request or OTel config file.
-
Click Explore events to see more events associated with the IAM key. The explore view populates the search bar with your IAM key ID and the receiver type. For example:
#iamKeyId=229a2561-0000-0000-0000-bc433de16f89 #receiver=splunk.hecAdjust the time range selector to filter the data displayed.
Once events start flowing into Lumi, you can search them. See Search events with Lumi for details on how to search and Lumi query syntax for a list of supported operators.
Learn more
See the following topics for more information:
- Send events with the OTel collector for a tutorial on using the OTel collector.
- Send events to Lumi for other options to send events.
- IAM key attributes for details on IAM key attributes.