Use Observability Pipelines’ Splunk HTTP Event Collector (HEC) source to receive logs from your Splunk HEC. Select and set up this source when you set up a pipeline.

Prerequisites

To use Observability Pipelines’s Splunk HTTP Event Collector (HEC) source, you have applications sending data to Splunk in the expected HEC format.

To use Observability Pipelines’s Splunk HEC destination, you have a Splunk Enterprise or Cloud instance configured with an HTTP Event Collector (HEC) input. You also have the following information available:

• The Splunk HEC token.
• The bind address that your Observability Pipelines Worker will listen on to receive logs from your applications. For example, 0.0.0.0:8080. Later on, you configure your applications to send logs to this address.
• The base URL of the Splunk instance that the Worker will send processed logs to. This URL should include the port that is globally configured for Splunk HTTP Event Collectors on your Splunk instance. For example, for Splunk Cloud: https://prd-p-0mupp.splunkcloud.com:8088.
• If your HECs are globally configured to enable SSL, then you also need the appropriate TLS certificates and password you used to create your private key file.

See Configure HTTP Event Collector on Splunk Web for more information about setting up Splunk HEC.

Note: Observability Pipelines does not support HEC Indexer Acknowledgement.

Set up the source in the pipeline UI

Select and set up this source when you set up a pipeline. The information below is for the source settings in the pipeline UI.

원하는 경우 스위치를 토글하여 TLS를 사용하도록 설정합니다. TLS를 사용하도록 설정하는 경우 다음 인증서 및 키 파일이 필요합니다.

• Server Certificate Path: 인증 기관(CA) 루트 파일에 의해 서명된 인증서 파일의 경로(DER 또는 PEM(X.509))입니다.
• CA Certificate Path: 인증 기관(CA) 루트 파일(DER 또는 PEM(X.509))인 인증서 파일의 경로입니다.
• Private Key Path: 서버 인증서 경로에 속하는 .key 개인 키 파일의 경로(DER 또는 PEM(PKCS#8) 형식)입니다.

Send logs to the Observability Pipelines Worker over Splunk HEC

After you install the Observability Pipelines Worker and deploy the configuration, the Worker exposes three HTTP endpoints that uses the Splunk HEC API:

• /services/collector/event
• /services/collector/raw
• /services/collector/health

To send logs to your Splunk index, you must point your existing logs upstream to the Worker.

curl http://<OPW_HOST>:8088/services/collector/event \
	-d '{"event": {"a": "value1", "b": ["value1_1", "value1_2"]}}'

<OPW_HOST> is the IP/URL of the host (or load balancer) associated with the Observability Pipelines Worker. For CloudFormation installs, the LoadBalancerDNS CloudFormation output has the correct URL to use. For Kubernetes installs, the internal DNS record of the Observability Pipelines Worker service can be used, for example opw-observability-pipelines-worker.default.svc.cluster.local.

At this point, your logs should be going to the Worker, processed by the pipeline, and delivered to the configured destination.