Splunk | Configure an HTTP event collector
Set up an Index and an HTTP Event Collector in Splunk. This will prepare you to utilize the Perfect Splunk project.
For more information on the Perfecto Splunk project, see the article here.
The HTTP Event Collector is required to send the data to Splunk via an API command. Follow the below steps to creat the collector if you are running Splunk Enterprise.
If you are a Splunk Cloud customer, you must contact support to have them create an HEC for you that is public facing. You will need to provide support an index name and a data source type when you submit the request. Creating the custom data source type needed for the Perfecto Splunk Connector can be found here can be found here.
On this page:
Create the HTTP Event Collector
-
Select settings and then Data Inputs.
-
Select HTTP Event Collector.
-
Select New Token.
-
Enter a data collector name and click next.
-
Add an index you wish for the HEC to use to the selected items list and click review.
-
On the next screen, click Submit.
-
Ensure the HTTP Event Collector is now enabled.
Enable tokens
-
If you have an icon in the top right indicating all tokens are disabled, click Global Settings.
-
Select enabled and then click Save.
Configure the HEC for input
-
Select Edit on the Data Input you created.
-
Enter a Source name.
-
Select Source Type as custom source type you created by following the process here.
-
Ensure the index you created in the selected index list.
-
Click save.
Increase the event data truncate limit
By default, Splunk limits messages to 10,000 bytes (characters). You can increase this limit in the Splunk properties files. Depending on the size of your JSON records, this may or may not need to be modified.
-
Navigate to your Splunk directory and open the
props.conf
file in the\etc\system\default
directory. -
Modify the TRUNCATE property under the default section at the top of the file to change the maximum characters for a message, for example to 1,000,000.
-
After the setting has been changed, restart your Splunk instance.