In this section, we'll talk about the HEC and how to enable it, because, as we noted in the preceding section, it is not, by default, enabled. The HEC was created with the Splunk user in mind, as a way to make the transfer of large amounts of data from web applications to Splunk much easier. To enable the HEC in your local Splunk instance, perform the following steps, after which you can refer the following screenshot:

Next, you will need to generate an HEC authentication token. The HEC token will ensure that no unknown applications will be able to send data to Splunk. This HEC authentication token will be sent in the HTTP headers of the incoming request to Splunk. Without this token, the response would typically indicate a status code 401 (Unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it started flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

As you have learned in the previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new EC Inputs modified the c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf file with the upcoming content.

You need to modify this file now and add the Cross Origin Resource Sharing (CORS) policy. This will allow our REST API calls to the HEC to work later on. This is not necessarily done in a production environment.

Run this Windows command to create the inputs.conf file.

C:\> notepad c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf

Modify the file by adding the highlighted line under the [http] stanza. Take note of the port in the URL; if you used a different port to launch your HTTP server, then make sure you change it here as well. We use port 8080 here because it is commonly used for this purpose, but check to make sure it is correct for your system:

[http] 
disabled = 0 
index = main 
sourcetype = access_custom 
enableSSL = 0 
crossOriginSharingPolicy = http://localhost:8080 
 
[http://Demo1] 
disabled = 0 
index = main 
indexes = main 
sourcetype = ec_demo1 
token = 49CB0FF2-C685-4277-B744-6550516175CF 

Restart Splunk for the changes to take effect:

C:\> c:\splunk\bin\splunk restart

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

In this section, we'll talk about the HEC and how to enable it, because, as we noted in the preceding section, it is not, by default, enabled. The HEC was created with the Splunk user in mind, as a way to make the transfer of large amounts of data from web applications to Splunk much easier. To enable the HEC in your local Splunk instance, perform the following steps, after which you can refer the following screenshot:

Next, you will need to generate an HEC authentication token. The HEC token will ensure that no unknown applications will be able to send data to Splunk. This HEC authentication token will be sent in the HTTP headers of the incoming request to Splunk. Without this token, the response would typically indicate a status code 401 (Unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it started flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

As you have learned in the previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new EC Inputs modified the c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf file with the upcoming content.

You need to modify this file now and add the Cross Origin Resource Sharing (CORS) policy. This will allow our REST API calls to the HEC to work later on. This is not necessarily done in a production environment.

Run this Windows command to create the inputs.conf file.

C:\> notepad c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf

Modify the file by adding the highlighted line under the [http] stanza. Take note of the port in the URL; if you used a different port to launch your HTTP server, then make sure you change it here as well. We use port 8080 here because it is commonly used for this purpose, but check to make sure it is correct for your system:

[http] 
disabled = 0 
index = main 
sourcetype = access_custom 
enableSSL = 0 
crossOriginSharingPolicy = http://localhost:8080 
 
[http://Demo1] 
disabled = 0 
index = main 
indexes = main 
sourcetype = ec_demo1 
token = 49CB0FF2-C685-4277-B744-6550516175CF 

Restart Splunk for the changes to take effect:

C:\> c:\splunk\bin\splunk restart

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

In this section, we'll talk about the HEC and how to enable it, because, as we noted in the preceding section, it is not, by default, enabled. The HEC was created with the Splunk user in mind, as a way to make the transfer of large amounts of data from web applications to Splunk much easier. To enable the HEC in your local Splunk instance, perform the following steps, after which you can refer the following screenshot:

Next, you will need to generate an HEC authentication token. The HEC token will ensure that no unknown applications will be able to send data to Splunk. This HEC authentication token will be sent in the HTTP headers of the incoming request to Splunk. Without this token, the response would typically indicate a status code 401 (Unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it started flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

As you have learned in the previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new EC Inputs modified the c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf file with the upcoming content.

You need to modify this file now and add the Cross Origin Resource Sharing (CORS) policy. This will allow our REST API calls to the HEC to work later on. This is not necessarily done in a production environment.

Run this Windows command to create the inputs.conf file.

C:\> notepad c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf

Modify the file by adding the highlighted line under the [http] stanza. Take note of the port in the URL; if you used a different port to launch your HTTP server, then make sure you change it here as well. We use port 8080 here because it is commonly used for this purpose, but check to make sure it is correct for your system:

[http] 
disabled = 0 
index = main 
sourcetype = access_custom 
enableSSL = 0 
crossOriginSharingPolicy = http://localhost:8080 
 
[http://Demo1] 
disabled = 0 
index = main 
indexes = main 
sourcetype = ec_demo1 
token = 49CB0FF2-C685-4277-B744-6550516175CF 

Restart Splunk for the changes to take effect:

C:\> c:\splunk\bin\splunk restart

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

In this section, we'll talk about the HEC and how to enable it, because, as we noted in the preceding section, it is not, by default, enabled. The HEC was created with the Splunk user in mind, as a way to make the transfer of large amounts of data from web applications to Splunk much easier. To enable the HEC in your local Splunk instance, perform the following steps, after which you can refer the following screenshot:

Next, you will need to generate an HEC authentication token. The HEC token will ensure that no unknown applications will be able to send data to Splunk. This HEC authentication token will be sent in the HTTP headers of the incoming request to Splunk. Without this token, the response would typically indicate a status code 401 (Unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it started flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

As you have learned in the previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new EC Inputs modified the c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf file with the upcoming content.

You need to modify this file now and add the Cross Origin Resource Sharing (CORS) policy. This will allow our REST API calls to the HEC to work later on. This is not necessarily done in a production environment.

Run this Windows command to create the inputs.conf file.

C:\> notepad c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf

Modify the file by adding the highlighted line under the [http] stanza. Take note of the port in the URL; if you used a different port to launch your HTTP server, then make sure you change it here as well. We use port 8080 here because it is commonly used for this purpose, but check to make sure it is correct for your system:

[http] 
disabled = 0 
index = main 
sourcetype = access_custom 
enableSSL = 0 
crossOriginSharingPolicy = http://localhost:8080 
 
[http://Demo1] 
disabled = 0 
index = main 
indexes = main 
sourcetype = ec_demo1 
token = 49CB0FF2-C685-4277-B744-6550516175CF 

Restart Splunk for the changes to take effect:

C:\> c:\splunk\bin\splunk restart

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

In this section, we'll talk about the HEC and how to enable it, because, as we noted in the preceding section, it is not, by default, enabled. The HEC was created with the Splunk user in mind, as a way to make the transfer of large amounts of data from web applications to Splunk much easier. To enable the HEC in your local Splunk instance, perform the following steps, after which you can refer the following screenshot:

Next, you will need to generate an HEC authentication token. The HEC token will ensure that no unknown applications will be able to send data to Splunk. This HEC authentication token will be sent in the HTTP headers of the incoming request to Splunk. Without this token, the response would typically indicate a status code 401 (Unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it started flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

As you have learned in the previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new EC Inputs modified the c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf file with the upcoming content.

You need to modify this file now and add the Cross Origin Resource Sharing (CORS) policy. This will allow our REST API calls to the HEC to work later on. This is not necessarily done in a production environment.

Run this Windows command to create the inputs.conf file.

C:\> notepad c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf

Modify the file by adding the highlighted line under the [http] stanza. Take note of the port in the URL; if you used a different port to launch your HTTP server, then make sure you change it here as well. We use port 8080 here because it is commonly used for this purpose, but check to make sure it is correct for your system:

[http] 
disabled = 0 
index = main 
sourcetype = access_custom 
enableSSL = 0 
crossOriginSharingPolicy = http://localhost:8080 
 
[http://Demo1] 
disabled = 0 
index = main 
indexes = main 
sourcetype = ec_demo1 
token = 49CB0FF2-C685-4277-B744-6550516175CF 

Restart Splunk for the changes to take effect:

C:\> c:\splunk\bin\splunk restart

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

In this section, we'll talk about the HEC and how to enable it, because, as we noted in the preceding section, it is not, by default, enabled. The HEC was created with the Splunk user in mind, as a way to make the transfer of large amounts of data from web applications to Splunk much easier. To enable the HEC in your local Splunk instance, perform the following steps, after which you can refer the following screenshot:

Next, you will need to generate an HEC authentication token. The HEC token will ensure that no unknown applications will be able to send data to Splunk. This HEC authentication token will be sent in the HTTP headers of the incoming request to Splunk. Without this token, the response would typically indicate a status code 401 (Unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it started flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

As you have learned in the previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new EC Inputs modified the c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf file with the upcoming content.

You need to modify this file now and add the Cross Origin Resource Sharing (CORS) policy. This will allow our REST API calls to the HEC to work later on. This is not necessarily done in a production environment.

Run this Windows command to create the inputs.conf file.

C:\> notepad c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf

Modify the file by adding the highlighted line under the [http] stanza. Take note of the port in the URL; if you used a different port to launch your HTTP server, then make sure you change it here as well. We use port 8080 here because it is commonly used for this purpose, but check to make sure it is correct for your system:

[http] 
disabled = 0 
index = main 
sourcetype = access_custom 
enableSSL = 0 
crossOriginSharingPolicy = http://localhost:8080 
 
[http://Demo1] 
disabled = 0 
index = main 
indexes = main 
sourcetype = ec_demo1 
token = 49CB0FF2-C685-4277-B744-6550516175CF 

Restart Splunk for the changes to take effect:

C:\> c:\splunk\bin\splunk restart

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

In this section, we'll talk about the HEC and how to enable it, because, as we noted in the preceding section, it is not, by default, enabled. The HEC was created with the Splunk user in mind, as a way to make the transfer of large amounts of data from web applications to Splunk much easier. To enable the HEC in your local Splunk instance, perform the following steps, after which you can refer the following screenshot:

Next, you will need to generate an HEC authentication token. The HEC token will ensure that no unknown applications will be able to send data to Splunk. This HEC authentication token will be sent in the HTTP headers of the incoming request to Splunk. Without this token, the response would typically indicate a status code 401 (Unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it started flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

As you have learned in the previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new EC Inputs modified the c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf file with the upcoming content.

You need to modify this file now and add the Cross Origin Resource Sharing (CORS) policy. This will allow our REST API calls to the HEC to work later on. This is not necessarily done in a production environment.

Run this Windows command to create the inputs.conf file.

C:\> notepad c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf

Modify the file by adding the highlighted line under the [http] stanza. Take note of the port in the URL; if you used a different port to launch your HTTP server, then make sure you change it here as well. We use port 8080 here because it is commonly used for this purpose, but check to make sure it is correct for your system:

[http] 
disabled = 0 
index = main 
sourcetype = access_custom 
enableSSL = 0 
crossOriginSharingPolicy = http://localhost:8080 
 
[http://Demo1] 
disabled = 0 
index = main 
indexes = main 
sourcetype = ec_demo1 
token = 49CB0FF2-C685-4277-B744-6550516175CF 

Restart Splunk for the changes to take effect:

C:\> c:\splunk\bin\splunk restart

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

Next, you will need to generate an HEC authentication token. The HEC token will ensure that no unknown applications will be able to send data to Splunk. This HEC authentication token will be sent in the HTTP headers of the incoming request to Splunk. Without this token, the response would typically indicate a status code 401 (Unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it started flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

As you have learned in the previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new EC Inputs modified the c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf file with the upcoming content.

You need to modify this file now and add the Cross Origin Resource Sharing (CORS) policy. This will allow our REST API calls to the HEC to work later on. This is not necessarily done in a production environment.

Run this Windows command to create the inputs.conf file.

C:\> notepad c:\splunk\etc\apps\splunk_httpinput\local\inputs.conf

Modify the file by adding the highlighted line under the [http] stanza. Take note of the port in the URL; if you used a different port to launch your HTTP server, then make sure you change it here as well. We use port 8080 here because it is commonly used for this purpose, but check to make sure it is correct for your system:

[http] 
disabled = 0 
index = main 
sourcetype = access_custom 
enableSSL = 0 
crossOriginSharingPolicy = http://localhost:8080 
 
[http://Demo1] 
disabled = 0 
index = main 
indexes = main 
sourcetype = ec_demo1 
token = 49CB0FF2-C685-4277-B744-6550516175CF 

Restart Splunk for the changes to take effect:

C:\> c:\splunk\bin\splunk restart

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

Now we want to test the HEC. Here, we want to do a HEC  POST request. Splunk will expect the information below, which is the basic information you need to make a successful HEC POST. Again, notice that the port used is 8088, which is commonly used, but this can be configured according to the needs of your system:

An easy and quick way to test the HTTP event collector is using cURL (or curl, as it is sometimes written). cURL is included in Mac OS X and Linux, and helps to transfer data to or from a server. For this purpose, it can use one of many different protocols, including HTTP and HTTPS (we will give you another way this time using Windows in the following section).

Here is the command for cURL:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"event":"this is your message"}'

Although doing a one-time test in cURL is convenient, it is not included in Windows by default and you cannot further enhance your test programmatically.

Since we wrote this book in the context of Windows users, let us use PowerShell, which is a Windows-based scripting language and automation platform that is helpful for managing your information systems. It uses the .NET platform to give you the functionality needed to help control your Windows systems.

To bring up PowerShell, use the following steps:

Notice that the ISE will have two panels; the top one is where you write your script, and the bottom one, which is an actual PowerShell shell, is where you can execute commands. Once you create your script, a clickable Run Script icon will execute the script and return the output at the bottom panel. You can also press  F5 to execute the script.

Now, to move ahead with this exercise, perform the following steps:

Although doing this test in PowerShell was a little more complex than a mere cURL command, any Windows admin can now use the very same script you wrote and for a more practical application. For example, you can use this base script to check the status of a particular application and based on the conditions, report it back to Splunk.

Using the HEC with dynamic UI events

In the previous chapter, we created a dashboard using D3.js that renders a chart with Splunk data in it. You also learned how to use the HTTP server module as a simple web server. We will use the same setup for the next exercise.

First, we will create a static HTML file with form buttons that we can click. Every click event will generate a Splunk HEC POST in the background to capture the details of the click event. The code that follows is by no means secure and should not be used in production. This is for example purposes only.

Create a new HTML file inside the c:\dashboard\public directory and call it ectest.html. Copy or type in the following contents of the HTML file:

<!-- c:\dashboard\public\ectest.html --> 
<!doctype html> 
<head> 
  <title>EC Tester</title> 
</head> 
<body> 
  <h3>HTTP Event Collector UI Tester</h3> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 1 button clicked.')">Click Event 1</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 2 button clicked.')">Click Event 2</button> 
  <button type="button" id="btn1" onClick="splunkIt(this, 'Event 3 button clicked.')">Click Event 3</button> 
  <script src="/ectest.js"></script> 
</body> 
</html> 

Now run the HTTP server. Open a command prompt, and type in the following command:

C:\> http-server -p 8080 c:\dashboard\public

Launch a browser tab and navigate to http://localhost:8080/ectest.html. The following screenshot shows how the page will look:

Now let us create the JavaScript file that will be monitoring the button click events and sending the HEC data to Splunk.

Create a new JavaScript file inside the c:\dashboard\public directory and call it ectest.js. Change the ecToken value in the first line of the JavaScript file to your own HEC token:

// public/ectest.js 
var ecToken = '13EA3875-2879-4F44-AF0A-3ED336CB5BCA' 
 
function splunkIt(object, clickEvent) { 
  console.log(object, event); 
  var xhr = new XMLHttpRequest(); 
 
  xhr.open('POST', 'http://localhost:8088/services/collector', true); 
  xhr.setRequestHeader('Authorization', 'Splunk ' + ecToken); 
  xhr.withCredentials = true; 
  xhr.onload = function() { 
    if (xhr.status === 200) { 
      var userInfo = JSON.parse(xhr.responseText); 
    } 
  }; 
  xhr.send(JSON.stringify({ 
    event: clickEvent 
  })); 
}; 

Now that you have the JavaScript in place, reload your browser or navigate to the following URL again: http://localhost:8080/ectest.html. This was tested with Google Chrome.

You can open the Developer Tools and the JavaScript console within Google Chrome. The JavaScript console allows you to use basic JavaScript statements and commands specific to the console when the page is in the browser, thus allowing you to quickly and easily debug it. With the console, you can see any diagnostics, view both raw and structured data, filter and control the output, and modify various elements within the page.

Click the buttons and run the search query against Splunk. Set the time frame to a 5-minute window real time and watch the data flow in as soon as you click the buttons.

SPL> index=main sourcetype=ec_demo1

At this point, you have successfully created a web page that sends signals to Splunk every time a UI event is performed.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.

Perhaps the best use case for using the HEC is with logging libraries. These allow the automatic collection of data when code is executing.

We will use the HEC Stream for Bunyan. Bunyan is a simple and fast JSON logging library for Node.js services. Here are additional references you can look at regarding these projects:

The following sample code will inject an event to our initially defined HEC. Every time this is executed, it will create a Splunk event with a random number. You can find the complete code by cloning the external dashboard repository:

https://github.com/ericksond/splunk-external-dashboard

After cloning or unzipping the package, run this series of commands to install the dependencies:

C:\> git clone https://github.com/ericksond/splunk-external-dashboard.git 
C:\> cd splunk-external-dashboard ( or cd dashboard) 
C:\dashboard> npm install 
C:\dashboard> notepad heclogging.js

Change the HEC token by replacing the value in this field:

var config = { 
  token: "TOKEN GOES HERE", 
  url: "http://localhost:8088" 
}; 

Save the file then run the code:

C:\> node heclogging.js

If all goes well, you should see an output similar to this:

C:\> C:\dashboard>node heclogging.js
Sending payload { event: 'logging event #0.8825588226318359' }

Now go back to Splunk and check if your data made it in:

SPL> index=main sourcetype=ec_demo1

Here is an example event that shows that the code worked:

Here is the complete working code for the heclogging.js file:

var splunkBunyan = require("splunk-bunyan-logger"); 
var bunyan = require("bunyan"); 
 
var config = { 
  token: "13EA3875-2879-4F44-AF0A-3ED336CB5BCA", 
  url: "http://localhost:8088" 
}; 
var splunkStream = splunkBunyan.createStream(config); 
 
splunkStream.on("error", function(err, context) { 
  console.log("Error", err, "Context", context) 
}); 
 
var Logger = bunyan.createLogger({ 
    name: "logger", 
    streams: [ 
        splunkStream 
    ] 
}); 
 
var payload = { 
  event: "logging event #" + Math.random() 
}; 
 
console.log("Sending payload", payload); 
Logger.info(payload, "Posted successfully.") 

You can retrieve the code files used in this chapter in the following GitHub repository: https://github.com/ericksond/splunk-external-dashboard.