Let’s imagine a scenario where we create a new Splunk HEC (HTTP Event Collector) token in a dev or test environment, typically the token would be created through the Splunk web UI like so:
Settings -> Data Inputs -> HTTP Event Collector
A new token has been created here and been provided to the application team to send their events to Splunk test. Everything is working successfully and later the application team want to start sending their events to production.
This is where we might encounter some difficulty. The security team does not allow tokens, certificates or passwords that have been used in other environments to be used in production. So we need to somehow create a new HEC token before we can go to production.
Firstly we need to know what a HEC token is – a UUID (Universally Unique Identifier). UUID’s have the following format (depending on the version, lets use v4 as an example):
UUID’s can be generated in several ways without Splunk, we can use the UUID generator website – https://www.uuidgenerator.net or we can use a programming language that has a library or package that supports UUID generation such as Python.
Generating a new token with Python (or another language capable of creating UUID’s) can be useful as it can be integrated with your organisations automation CI/CD capabilities such as Jenkins, Git, Ansible etc. For example, you could promote an app to production using Git then run a Jenkins job to deploy your apps which would run some code to update the token value in your HEC app.
To generate a new UUID with Python, we can use the following simple piece of code from a Linux command line with Python installed:
python -c "import uuid; print(uuid.uuid4());"
This should output a uuid like the following:
To utilise the HEC with your new token, firstly ensure the HEC is enabled on the Splunk instance with the following minimal config:
/opt/splunk/etc/system/local/inputs.conf:
[http]
disabled = 0
You can then add the token app to your config, for example:
/opt/splunk/etc/apps/myhecapp/default/inputs.conf:
[http://myhecinput]
disabled = 0
index = main
sourcetype = myhecsourcetype
token = a6c03b73-7dc8-44d9-b307-4d8cf8704eea
For further information and details on setting up the HEC refer to the Splunk docs here – https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/UsetheHTTPEventCollector
Alternatively feel free to contact us!
For 2021 we’ve committed to posting a new Splunk tip every week!
If you want to keep up to date on tips like the one above then sign up below:
Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.