Now that the configuration has been quickly completed, let's see how the HEC works. We will use the command line URL method (cURL) to show the HEC in action. We will use the following information to write a cURL command:
- URL: http://localhost:8088/services/collector
- Custom Header: Authorization
- Custom Header Value: Splunk <token>
- Content Type: application/json
- Body: { "event": "Mobile Device Event - Something happened" }
cURL is included in macOS X and most Linux distributions, such as CentOS and RHEL, and helps to transfer data to or from a server.
From a Linux or macOS command line, enter the following cURL command:
curl -k https://localhost:8088/services/collector -H 'Authorization: Splunk e848d8a2-43f4-446c-af9c-e5cd8d7b26a1' -d '{"event":"Mobile Device Event - Something happened"}'
For Windows, cURL commands require a slightly different syntax due to different behavior of single and double quotes. For Windows, what were single quotes in the Linux cURL are double quotes and double quotes are escaped out of using a backward slash.
Here is an example of the same cURL as before, except this version of the cURL is written for a Windows environment. Notice how there are back slashes prior to double quotes as Windows treats double quotes differently than Linux commands:
curl -k https://localhost:8088/services/collector -H "Authorization: Splunk e848d8a2-43f4-446c-af9c-e5cd8d7b26a1" -d "{\"event\":\"Mobile Device Event - Something happened\"}"
If your cURL statements are successful, you will see {"text":"Success","code":0}. You can also search from the event in the Splunk UI: index=main source=http:Demo1. There are a variety of ways to send these events, so here are some examples of additional options when sending events to the HEC, using the Linux-based syntax.
Multiple events in one HTTPS message:
curl -k https://localhost:8088/services/collector -H 'Authorization: Splunk e848d8a2-43f4-446c-af9c-e5cd8d7b26a1' -d '{"event":"Mobile Device Event - Something happened"}{"event": Mobile Device Event 2 - Something else happened}'
One event with multiple fields:
curl -k https://localhost:8088/services/collector -H 'Authorization: Splunk e848d8a2-43f4-446c-af9c-e5cd8d7b26a1' -d '{"event": "Mobile Device Event", "fields": {"device": "macbook", "users": ["joe", "bob"]}}'
You can also use the _json sourcetype Splunk provides out of the box, as opposed to using a custom sourcetype as we have in these examples:
curl -k https://localhost:8088/services/collector -H 'Authorization: Splunk e848d8a2-43f4-446c-af9c-e5cd8d7b26a1' -d '{"sourcetype": "_json", "event": {"device": "macbook", "users": ["joe", "bob"]}}'