This talk focus on what admins need to know about the HTTP Event Collector. Why it exists, how it differs from existing options, and how to configure, manage, deploy and scale it.
2. Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.
4. HTTP Event Collector
4
• A new token-based JSON API for
events
• Send events directly from anywhere
(servers, mobile devices, IOT)
• Easy to configure / works out of the
box.
• Easy to secure
• Highly performant, scalable and
available
6. How you use
• Enable HTTP Event Collector
• Create/Get a token
• Send events to Splunk using the token
– Use HTTP Directly
Create a POST request and
set the Auth header with the token
POST JSON in our event format to the
collector
– Use logging libraries
Support for .NET, Java and JavaScript loggers
6
7. Sending data
//send with curl
curl -k https://localhost:8088/services/collector
-H 'Authorization: Splunk 46931F1C-352C-4DF6-
820C-F2689CF88494' -d '{"event":"Hello Event
Collector"}'
7
11. Permissions and delegation
HTTP Event Collector requires the
edit_token_http cap.
You can delegate token admin to
devops / eng
Token admins can only manage the
feature, they do not have any other
admin permissions in Splunk
11
12. A few tips
Create tokens per app, department, component, service. etc. Not per user
or device especially if you are talking about a large number (> 10000)
Consider partitioning tokens to different indexes. This will speed up
searches and make it easy to archive
Consider delegating token management to devops/eng
Explicitly set allowed indexes on the token. If not set, the token can send
data to any index.
Use HTTP over HTTPS when you can. You can get about a 30% performance
gain.
Ask your devs to batch events. It greatly improves throughtput.
12
14. Scale and High Availability
14
Indexers
Search Head /
Deployment Server
15. Scale and High Availability
15
Event Collectors Indexers Search Heads
16. Distributed deployment
HTTP Event Collector can scale to meet your needs!
• Build in to splunkd, nothing special to install
• Run directly on the indexer
• Or run on a dedicated Collector instance and forward to an indexer
• Uses Deployment Server to to sync tokens across the Collector
instances
16
17. How to setup a DS client
splunk set deploy-poll [host]:8088
splunk enable deploy server
splunk restart
17
22. How it works
A new log driver capture container’s stdout and pushes to Splunk
Currently it is in development, but should be out of the box soon.
We’re contributing to Docker!!!!!!!
docker run --log-driver=splunk --log-opt splunk-token=F81DD289-
863D-45EF-B9CE-A7D3514AF2C7 --log-opt splunk-
url=https://10.20.17.169:8088 --log-opt splunk-
insecureskipverify=true hello-world
22
24. Next steps?
24
Breakouts
Liberate Your Application Logging
More information
docs.splunk.com, see "Getting Data In"
dev.splunk.com
Come by the Developer Booth and say hi / ask questions!
Related breakout sessions and activities…