Use Observability Pipelines’ Splunk HTTP Event Collector (HEC) source to receive logs from your Splunk HEC. Select and set up this source when you set up a pipeline.
To use Observability Pipelines’ Splunk HTTP Event Collector (HEC) source, you have applications sending data to Splunk in the expected HEC format.
To use Observability Pipelines’ Splunk HEC destination, you have a Splunk Enterprise or Cloud instance configured with an HTTP Event Collector (HEC) input. You also have the following information available:
The Splunk HEC token.
The bind address that your Observability Pipelines Worker will listen on to receive logs from your applications. For example, 0.0.0.0:8080. Later on, you configure your applications to send logs to this address.
The base URL of the Splunk instance that the Worker will send processed logs to. This URL should include the port that is globally configured for Splunk HTTP Event Collectors on your Splunk instance. For example, for Splunk Cloud: https://prd-p-0mupp.splunkcloud.com:8088.
If your HECs are globally configured to enable SSL, then you also need the appropriate TLS certificates and password you used to create your private key file.
After you install the Observability Pipelines Worker and deploy the configuration, the Worker exposes three HTTP endpoints that uses the Splunk HEC API:
/services/collector/event
/services/collector/raw
/services/collector/health
To send logs to your Splunk index, you must point your existing logs upstream to the Worker.
<OPW_HOST> is the IP/URL of the host (or load balancer) associated with the Observability Pipelines Worker. For CloudFormation installs, the LoadBalancerDNS CloudFormation output has the correct URL to use. For Kubernetes installs, the internal DNS record of the Observability Pipelines Worker service can be used, for example opw-observability-pipelines-worker.default.svc.cluster.local.
At this point, your logs should be going to the Worker, processed by the pipeline, and delivered to the configured destination.