Skip to content

Configure HTTP Event Collector for the Splunk Add-on for Amazon Web Services on a single-instance Splunk Enterprise deployment

Install the Splunk Add-on for Amazon Web Services on a single-instance Splunk Enterprise deployment. For optimal performance, set ackIdleCleanup to true in inputs.conf located in $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf for *nix users and %SPLUNK_HOME%\etc\apps\splunk_httpinput\local\inputs.conf for Windows users.

  1. Decide what index you want to use to collect your push-based input data. Ensure that this index is enabled and active. Sending data to a disabled or deleted index results in dropped events. If you need to create a new index, see Create custom indexes in Managing Indexers and Clusters of Indexers.
  2. Go to Settings > Data inputs > HTTP Event Collector select Global Settings.
  3. Check the box next to Enable SSL, then select Save.

  4. Create an HTTP event collector token with indexer acknowledgments enabled. For a detailed walkthrough, see Set up and use the HTTP Event Collector in Getting Data In. During the configuration:

    a. Specify a Source type for your incoming data. See Source types for the Splunk Add-on for AWS for the source types supported by this add-on.

    b. Select an Index to which Firehose will send data.

    c. Check the box next to Enable indexer acknowledgement.

  5. Save the token that Splunk Web provides. You need this token when you configure your data streaming service (for example, Amazon Kinesis Firehose or Amazon EventBridge) in AWS.

  6. Repeat creating an HTTP event collector token with indexer acknowledgments enabled and saving the token for each additional source type from which you want to collect data. Each source type requires a unique HTTP event collector token.

Next steps

See Configure AWS infrastructure to send data to the Splunk platform.