Generating an HEC authentication token

Next, you will generate an HEC authentication token. The HEC token will ensure no unknown applications have their data indexed if it arrives at your Splunk server on the assigned port. The HEC authentication token is sent in the HTTP header of the incoming request to Splunk. Without this token, the Splunk response would typically indicate a status code 401 (unauthorized error).

The HEC token will also enable you to override the source tag of all incoming data. This makes it easy to differentiate data streams later, based on where the data is coming from. It is best practice to create a separate token for each application. If something goes wrong with one application, say it starts flooding your Splunk instance with unwanted data, it will then be easy enough to disable that associated token to mitigate the issue. Follow these instructions:

  1. Go to Settings | Data Inputs.
  2. Find HTTP Event Collector.
  3. Click on New Token.
  4. In the Name field, enter Demo1.
  5. Leave the other fields as it is. Note, however, that we will return to the indexer acknowledgement functionality shortly. 
  6. Click on Next to proceed:

You will see an Input Settings page that looks like the following screenshot. Follow these instructions:

  1. In the Input Settings page, you will create a new Source Type.
  2. In the first Source type section, click on New.
  3. Type http_events as the Source Type.
  4. Ensure the app context is set properly to our Destinations app. Remember that not setting this will mean your configurations are being places in different locations from prior exercises:
  1. In the Index section, select main as the selected index.
  2. main should also then appear in the Default Index setting as well:
  1. Click on Review to proceed.
  2. Verify your work against the following screenshot; then click on Submit.
  1. Once you are done, go back to Data Inputs | HTTP Event Collector and you should see the newly generated Token Value. Copy or take note of this value as you will need it for the exercises in this chapter.
The distinct token value created on your personal instance will resemble, but not be exactly the same as to, the token value shown in these screenshots. Replace the token used in these exercises with the token generated in your personal Splunk instance.

As you have learned in previous chapters, everything that you change in the Splunk UI generally makes a change to a configuration file. In this case, the new token modified the C:\Splunk\etc\apps\destinations\local\inputs.conf file with the relevant input content, including the token, as seen here:

[http://Demo1]
 disabled = 0
 index = main
 indexes = main
 sourcetype = http_events
 token = e848d8a2-43f4-446c-af9c-e5cd8d7b26a1