Splunk Cloud
  • 27 Jul 2021
  • 2 Minutes to read
  • Contributors

Splunk Cloud

This article describes how to configure Splunk Cloud. It is a software product that enables you to search, analyze, and view the data gathered from the components of your IT infrastructure or business. Splunk collects data from websites, applications, sensors, devices, and so on. You can configure Splunk Cloud to have full visibility of your Perimeter 81 activities.

  • Setting up the Splunk Event Collector
  • Enabling an HTTP Event Collector
  • Creating an Event Collector token
  • Configuring the Management Platform
  • Handling possible error codes

Setting up the Splunk Event Collector

The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format. This process eliminates the need for a Splunk forwarder when you send application events.
After you enable HEC, you can use HEC tokens in your app to send data to HEC. You do not need to include Splunk credentials in your app or supported files.

Enabling an HTTP Event Collector

According to official Splunk documentation, Managed Splunk Cloud customers may need to contact Splunk support to perform this step.

  1. Click Settings > Data Inputs .
  2. Click HTTP Event Collector.
  3. Click Global Settings.
  4. In the All Tokens toggle button, select Enabled.
  5. To have HEC listen and communicate over HTTPS rather than HTTP, click the Enable SSL checkbox (This is enabled by default in Splunk Cloud and can be disabled in Splunk Enterprise only).
  6. Click Save.

Creating an Event Collector Token

  1. Click Settings > Add Data.
  2. Click monitor.
  3. Click HTTP Event Collector.
  4. In the Name field, enter a name for the token.
  5. Make sure indexer acknowledgment is disabled for this token.
  6. Click Next.
  7. Click Review.
  8. Confirm that all settings for the endpoint are what you want.
  9. If so, click Submit.

Configuring the Management Platform

You need to configure the integration from the Perimeter 81 side.

  1. Log in to your Perimeter 81 Management Platform, and navigate to Settings, and select Add at the Splunk row.
  2. Fill in the following information:
  • HEC Host: Enter an appropriate value according to your Splunk tier (replace {hostname} with your Splunk server hostname).

Splunk Cloud (paid): inputs-<host>

Splunk Cloud (free-trial): <host> OR inputs.<host>

  • HEC port: 8088 for Splunk Cloud free trial and 443 for Splunk Cloud paid
  • Protocol: HTTP for a free trial and HTTPS for paid.
  • Verify Server SSL Certificate (HTTPS only): If you are using a self-signed certificate disable SSL verification, however, if you are using a CA-signed certificate make sure to enable it.
  • HEC URIFilled automatically
  • Authentication token: Enter the token you generated at Splunk.

3. Select Validate.

Handling possible error codes

The following status codes have particular meaning for all HTTP Event Collector endpoints:

HTTP status code IDHTTP status codeStatus messageAction required
403ForbiddenToken disabledEnable token at Splunk Web.
401UnauthorizedInvalid authorizationPlease make sure you entered a valid token.
Invalid tokenPlease make sure you entered a valid token.
500Internal ErrorInternal server errorPlease contact our support team indication the error. We will examine the integration logs and further instruct you.
503Service UnavailableServer is busyThere are too many requests pending in the Splunk server queue. Please try again later.
400Bad RequestData channel is missing

Edit the token at the Splunk Platform and make sure to untick Indexer Acknowledgement.

400Bad Request
Error in handling indexed fields

Please contact our support team indicating the error. We will examine the integration logs and further instruct you.

Was this article helpful?

What's Next