We introduced a new Splunk app last week called HTTP Event Push (HEP). As the name implies, it enables you to push Splunk search results to a remote HTTP endpoint. It supports Splunk HTTP Event Collector as a destination, but keep reading for more on that below. HEP is designed for organizations that run two or more data silos and need to have data available in multiple places in different formats. It can also facilitate automated sharing of very specific data across organizations. By searching the data after Splunk indexing, the data can be parsed into fields and transformed into something that works with other technologies.
The app current includes the following features:
Setup page with configurable target and http event collector token.
Variables in the alert action form.
Send field-based data and/or the raw event.
Use sourcetype, index, and host from the search results or specify new values.
The functionality can be used out of the box for the following use cases:
Remote summary indexing to a dedicated instance or separate deployment
Data sharing between organizations
Send Splunk Enterprise Security’s Notable Events to another platform
Remote operational status reporting
Use the following steps to configure the app with a remote HTTP Event Collector endpoint:
On the remote HEC listener:
Configure a new token on the HTTP Event Collector.
Note the hostname/IP address of the HEC instance or load balancer.
On the source search head:
Navigate to Manage Apps, find the HTTP Event Push app, and click Set Up.
Enter the HTTP Event Collector hostname or IP, along with the token value you just created on the remote instance.
Write a search, set your time window, and click Search. Here’s an example:
Click Save As > Alert
Enter the name for your alert. Make sure the Trigger setting is set to Once. Under Trigger Actions, click Add Actions and select HTTP Event Push.
Under the alert action, configure the destination event index, source, sourcetype, and host values.
Although we only support HEC targets today, we’re planning on supporting more in the future based on your feedback and suggestions. Check out our Trello board for this project to see more of the features and roadmap for it.
Where to Find It
You can find the most current version of the app on Splunkbase. If you want to poke around at the code or contribute to the project, check it out on Github. Feel free to send us your pull requests.