Let’s imagine a scenario where we create a new Splunk HEC (HTTP Event Collector) token in a dev or test environment, typically the token would be created through the Splunk web UI like so:

Settings -> Data Inputs -> HTTP Event Collector

A new token has been created here and been provided to the application team to send their events to Splunk test. Everything is working successfully and later the application team want to start sending their events to production.

This is where we might encounter some difficulty. The security team does not allow tokens, certificates or passwords that have been used in other environments to be used in production. So we need to somehow create a new HEC token before we can go to production.

Firstly we need to know what a HEC token is – a UUID (Universally Unique Identifier). UUID’s have the following format (depending on the version, lets use v4 as an example):

For more information on UUID format – check the IETF (Internet Engineering Task Force) documentation

UUID’s can be generated in several ways without Splunk, we can use the UUID generator website – https://www.uuidgenerator.net or we can use a programming language that has a library or package that supports UUID generation such as Python.

Generating a new token with Python (or another language capable of creating UUID’s) can be useful as it can be integrated with your organisations automation CI/CD capabilities such as Jenkins, Git, Ansible etc. For example, you could promote an app to production using Git then run a Jenkins job to deploy your apps which would run some code to update the token value in your HEC app.

To generate a new UUID with Python, we can use the following simple piece of code from a Linux command line with Python installed:

python -c "import uuid; print(uuid.uuid4());"

This should output a uuid like the following:

Python’s uuid library is native and does not require any package installations via pip etc

To utilise the HEC with your new token, firstly ensure the HEC is enabled on the Splunk instance with the following minimal config:

/opt/splunk/etc/system/local/inputs.conf:

[http]
disabled = 0

You can then add the token app to your config, for example:

/opt/splunk/etc/apps/myhecapp/default/inputs.conf:

[http://myhecinput]
disabled = 0
index = main
sourcetype = myhecsourcetype
token = a6c03b73-7dc8-44d9-b307-4d8cf8704eea

For further information and details on setting up the HEC refer to the Splunk docs here – https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/UsetheHTTPEventCollector

Alternatively feel free to contact us!

For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.

Subscribe

* indicates required

Posted by:Sean Cruikshank

Splunk Admin with a focus on real-time operational monitoring using IT Service Intelligence (ITSI). I am also an AWS Solution Architect and Python hobbyist. I graduated Abertay University in 2017 with a first class in BSc Ethical Hacking and Countermeasures. During my last year at university I was focused on data analysis and visualization which lead me to iDelta ltd. where i've been working ever since. It has been a great fit to pursue data analytics skills in a work environment.