For more about HEC tokens, see Set up and use HTTP Event Collector in Splunk Web in the Splunk Documentation site.
For more about the Splunk HTTP Event Collector, see Configure the Splunk HTTP Event Collector for use with additional technologies in the Splunk Developer Portal.
Before you can configure a HEC integration in Splunk Synthetic Monitoring, you need to create a HEC access token and identify your ingest endpoint. Follow these steps to learn how.
Note: The Splunk Synthetic Monitoring HEC integration relies on an SSL (Secure Sockets Layer) configuration. It is not compatible with self-signed SSL certificates. It is also incompatible with Splunk-signed certificates. Ensure you have a valid SSL certificate from a major SSL authority before sending data to a HEC integration.
- Administrator access in your Splunk Synthetic Monitoring instance
- Administrator access in your Splunk Web instance
- A valid SSL certificate from a major SSL authority
Step 1. Create a HEC token in your Splunk instance
Tokens are entities that allow logging agents and HTTP clients to authenticate their connection to HEC. A token has a unique value, which is a 128-bit number represented as a 32-character globally unique identifier (GUI). Agents and clients present this token value when they connect to HEC, and if the token is valid, they can deliver their payload of application events.
Tokens can also specify the source, source type, and index for which the data received through HEC will be configured. You can set this configuration when you create a HEC token.
Create a HEC token in Splunk Cloud or Splunk Enterprise
HEC configurability and functionality varies based on whether you run it on Splunk Cloud or Splunk Enterprise.
To create a HEC token on Splunk Cloud, follow the steps described in Configure HTTP Event Collector on Splunk Cloud.
To create a HEC token on Splunk Enterprise, follow the steps described in Configure HTTP Event Collector on Splunk Enterprise.
Once you have generated a token, ensure you copy the token value for the HEC token you create so you can paste it into your configuration of a HEC integration in Splunk Synthetic Monitoring.
Step 2. Identify your ingest endpoint
The ingest endpoint is the specific Uniform Resource Indicator (URI) you use to send data to HEC.
The standard form for a HEC URI is
- <protocol> is either http or https.
- <host> is the Splunk instance that runs HEC.
- <port> is the HEC port number. This number is 8088 by default.
- <endpoint> is the HEC endpoint you want to use. To send data from your Splunk Synthetic Monitoring instance, the endpoint path you provide must include /services/collector. This sends JSON-formatted events.
If you’re using Splunk Cloud, see Send data to HTTP Event Collector on Splunk Cloud to learn more about the standard HEC URI form in your case.
If you’re using Splunk Enterprise, see Send data to HTTP Event Collector on Splunk Enterprise to learn more about the standard HEC URI form in your case.
You can change the HEC port, disable HTTPS, and adjust other defaults by clicking the Global Settings page at the top of the HEC management page at Settings > Data inputs > HTTP Event Collector.
Note: To send data from your Splunk Synthetic Monitoring instance, the endpoint path you provide must include /services/collector.
Once you have identified the appropriate endpoint URI in your case, ensure you copy it exactly into your configuration of a HEC integration in Splunk Synthetic Monitoring, described in the next step.
Step 3. Configure a HEC integration in your Splunk Synthetic Monitoring instance
Use the following steps to set up a HEC integration in Splunk Synthetic Monitoring. You need Administrator access to perform these steps.
- Click the three-dot menu icon in the top right corner of the landing page.
- In the drop-down menu, select Integrations.
- Click the +New button.
- Under Type, select Splunk HEC.
- Under Name, type a name for your integration.
- Under Access Token, paste the HEC Access Token you generated in Step 1 of this topic.
- Under Ingest Endpoint, paste the ingest endpoint URI you identified in Step 2 of this topic.
- Under Tags, select the tags you’d like to associate with this integration.
- Under Metrics, select the metrics you’d like to send from Splunk Synthetic Monitoring to Splunk Core. You can click Select all, or click Deselect all to deselect all metrics and then select just the ones you’d like to send.
- (Optional) User Timings are customizable measurements of the timing of specific events on your site collected by Splunk Synthetic Monitoring’s Real Browser test. To learn more about User Timings, see User Timings: Measure What Matters to You on the Rigor blog. If you want to send User Timings from a Real Browser test to your Splunk Web instance, you can click the User Timings toggle to reveal a checkmark. If not, click it again to reveal an X.
- When you’re finished configuring the integration, click Submit.
Step 4. Add your HEC integration to a Splunk Synthetic Monitoring check
Now that you have created a HEC integration, you can add the integration to any Real Browser, HTTP, Port, or API check to send its data to your Splunk Web instance. Follow these steps to do so.
- On the homepage of Splunk Synthetic Monitoring, navigate to your list of checks and click the gear icon on any check.
- Click Edit in the dropdown menu.
- Click the Notifications tab.
- Scroll to Data Integrations and click + Add Data Integration.
- From the dropdown menu, select the HEC integration you created in Step 3.
- Click Save.
Step 5. Confirm your data is shipping to your Splunk instance as you expect
To ensure the integration is working as you expect, make sure the data you intended to send from your Splunk Synthetic Monitoring instance is appearing in Splunk Web.
In the Search page of your Splunk instance, run a SPL search in which you specify the following:
source=”<name of your HEC token>“
Confirm that data from this source appears in the results.
If data is not appearing as you expect, you can try the following:
- Confirm that the HEC endpoint you provided in the integration in Splunk Synthetic Monitoring is correct. See Send data to HTTP Event Collector in the Splunk documentation for more information.
- Confirm that you have an SSL certificate from a major SSL authority
- Contact Splunk Synthetic Monitoring support by clicking the chat icon in the bottom right corner of the Synthetic Monitoring app to start a new conversation or by emailing firstname.lastname@example.org. See How Do I Contact Rigor Support? for more information about contacting support.