Introducing the HTTP Event Push App for Splunk

by August 19, 2019

A New Splunk App: HTTP Event Push (HEP)

Introduction

We introduced a new Splunk app last week called HTTP Event Push (HEP).  As the name implies, it enables you to push Splunk search results to a remote HTTP endpoint.  It supports Splunk HTTP Event Collector as a destination, but keep reading for more on that below.  HEP is designed for organizations that run two or more data silos and need to have data available in multiple places in different formats.  It can also facilitate automated sharing of very specific data across organizations.  By searching the data after Splunk indexing, the data can be parsed into fields and transformed into something that works with other technologies.

 

Features

The app current includes the following features:

  • Setup page with configurable target and http event collector token.
  • Variables in the alert action form.
  • Send field-based data and/or the raw event.
  • Use sourcetype, index, and host from the search results or specify new values.

 

Use Cases

The functionality can be used out of the box for the following use cases:

  • Remote summary indexing to a dedicated instance or separate deployment
  • Data sharing between organizations
  • Send Splunk Enterprise Security’s Notable Events to another platform
  • Remote operational status reporting

 

App Setup

Use the following steps to configure the app with a remote HTTP Event Collector endpoint:

On the remote HEC listener:

  1. Configure a new token on the HTTP Event Collector.
  2. Note the hostname/IP address of the HEC instance or load balancer.

On the source search head:

  1. Navigate to Manage Apps, find the HTTP Event Push app, and click Set Up.
  2. Enter the HTTP Event Collector hostname or IP, along with the token value you just created on the remote instance.
  3. Write a search, set your time window, and click Search.  Here’s an example:
     

     
  4. Click Save As > Alert
  5. Enter the name for your alert. Make sure the Trigger setting is set to Once.  Under Trigger Actions, click Add Actions and select HTTP Event Push.
  6. Under the alert action, configure the destination event index, source, sourcetype, and host values. 
  7.  

Check the User Guide page on our docs site for more current information.

 

Future Plans

Although we only support HEC targets today, we’re planning on supporting more in the future based on your feedback and suggestions.  Check out our Trello board for this project to see more of the features and roadmap for it.

 

Where to Find It

You can find the most current version of the app on Splunkbase.  If you want to poke around at the code or contribute to the project, check it out on Github.  Feel free to send us your pull requests.

 

Support

Contact us anytime with questions or comments at [email protected].

0 Comments

Leave a Reply

Share This