Splunk HEC Testing with CURL Command

Use this procedure when testing Splunk's HTTP Event Collector (HEC).

Step-by-step guide

Open a command prompt window or terminal. Type the following cURL statement to test out your token. Be sure to replace <host> with your Splunk Enterprise or Splunk Cloud server's hostname, and <token> with the token you just copied to the Clipboard:

Alternatively, you can use Basic authentication, as shown here:

Notes:

(1) When creating requests to Splunk Cloud, you must add a prefix to the URI of the hostname according to your subscription. For self-service Splunk Cloud plans, pre-pend the hostname with input-. For all other Splunk Cloud plans, pre-pend the hostname with http-inputs-. In the previous example, the cURL statement would look like the following for self-service Splunk Cloud instances:

And for all other Splunk Cloud instances:

(2) Because of the way Windows handles single and double quotes, these cURL commands do not work on Windows. To get them to work on Windows, you can either replace the single quotation marks (') with double quotation marks (") and then escape the inner double quotation marks, or you can use an app like Postman for Google Chrome to send the request instead.

(3) You should now see the following response: {"text":"Success","code":0}

This means that Splunk Enterprise or Splunk Cloud has received the data. You can verify it's been received and indexed by searching in the search app.

Related articles

Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.

• Browse and Dump Kafka Topics
• Configure logging
• Validate Data Flowing to OpsBridge Agent
• Understanding Pivoting Mechansim (Tall to Wide Format)
• Splunk HEC Testing with CURL Command