Skip to main content

Splunk HEC Input

Accepts POSTed data directly to the Monad Splunk HEC endpoints.

Details

The Splunk HEC input implements the Splunk HEC endpoints. By creating a Splunk HEC Input, users can publish any data they wish to a pipeline without needing to have a specifically implemented input to support that data.

Prerequisites

There are no Prerequisites to start using the Splunk HEC input. Simply create a Splunk HEC Input and attach it to a pipeline.

Sending data

Sending data to a Splunk HEC input requires sending a POST request to the Monad API with a Splunk Authentication header.

The body of the request requires that records be put in the event key in an array of json objects for each record.

Note: When including multiple records, the format is line delimited JSON object

Authentication

All requests to the Splunk HEC endpoints require a Splunk authentication header to be set.

Authorization: Splunk <pipeline-uuid>

Single record

POST /services/collector or POST /services/collector/event

The json object in event will be sent to the pipeline directly. All other fields supported by the Splunk HEC standard will be ignored.

{
  "event": {}
}

POST /service/collector/raw

Monad requires that all records are in JSON format which requires the raw endpoint to require each event to be a json object

{}

Multiple Records

POST /services/collector or POST /services/collector/event

{
  "event": {}
}
{
  "event": {}
}
{
  "event": {}
}

POST /service/collector/raw

{}
{}
{}

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

None.

Secrets

None.

API

To send a POST request to create this Monad HTTP Connector:

curl -X 'POST' \
  '{base_url}/api/v2/{org_id}/inputs' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {token}' \
  -H 'Content-Type: application/json' \
  -d '{
  "config": {
    "secrets": {},
    "settings": {}
  },
  "description": "input_description",
  "name": "input_name",
  "type": "monad-splunk-hec"
}'

Python Example

import requests
import json

url = '{base_url}/services/collector'
headers = {
    'accept': 'application/json',
    'Content-Type': 'application/json',
    'Authorization': Splunk my_pipeline_id,
}
data = {
    'event': [
        {
            'dummy-key': 'dummy-data'
        }
    ]
}

response = requests.post(url, headers=headers, json=data)
print(json.dumps(response.json(), indent=2))