Ingest Splunk HEC Events into Cribl Search
Collect data sent via HTTP(S) protocols to store it in Cribl Search for fast analysis.
Before You Begin
You’ll need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. See how to get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
- A Splunk HEC sender that can reach Cribl Search over HTTP(S): universal forwarder, heavy forwarder, or any other HEC client.
You don’t need Cribl Stream, Edge, or Lake. (Looking for the Splunk HEC Source in Cribl Stream instead?)
1. Add a Splunk HEC Source in Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > Splunk HEC.
Describe Your Source and Set the HEC Endpoint
Under General, configure:
| Setting | Description | Example |
|---|---|---|
ID | Source ID, unique across your Cribl.Cloud Workspace. Use letters, numbers, underscores, hyphens. | splunk_hec_prod |
| Description | Describe your Source so others know what it’s for. | Ingests HEC from prod Splunk |
| Address | Hostname (FQDN) that your HEC client connects to. You’ll need this to set up your HEC client. | search.main.foo-bar-abc123.cribl.cloud |
| Port | Network port to listen on. Keep the default unless it conflicts with another service. | 8088 (default) |
| Splunk HEC endpoint | Base path on which to listen for Splunk HEC API requests. Cribl Search automatically handles these sub-paths: /event/raw/s2s/health | /services/collector (default)Handles: /services/collector/event/services/collector/raw/services/collector/s2s/services/collector/health |
Set up Authentication
Use authentication to make sure only authorized HEC clients can send data to your Cribl Search Source.
Under Authentication, select Add Token. Add as many tokens as you need. Check Enable token for the tokens you want active.
For each token, set Authentication method to:
- Manual for quick setup or testing.
- Secret to securely manage credentials in production environments. (See Create and Manage Secrets in Cribl Stream.)
| Setting | Description | Example |
|---|---|---|
| Token | Authentication string you’ll need to set up your HEC client. Enter a token text, or select Generate for a random one. | 420 |
| Description | Describe which clients or environments use the token. | Prod UF |
| Allowed indexes | Splunk indexes allowed for this token. Events with non-matching index values won’t be ingested.Use this to scope tokens to specific indexes. For example, give the web team a token restricted to web_* and the security team a token restricted to security_* to keep each team’s data separate.Use wildcards to match multiple indexes. Leave blank to allow all. | dev_* |
| Fields | Extra fields to add to each event referencing this token. Use this to stamp events with metadata that you can later search by. In Value, enclose JavaScript expressions in backticks ` `. | Field name: fullSourceValue: `${host}:${source}` |
| Setting | Description | Example |
|---|---|---|
Auth token (text secret) | Reference to a stored secret containing the token. You’ll need this to set up your HEC client. Select a secret or Create a new one. (See Create and Manage Secrets in Cribl Stream). | sec_hec_token |
| Description | Describe which clients or environments use the token. | Prod UF |
| Allowed indexes | Splunk indexes allowed for this token. Events with non-matching index values won’t be ingested.Use this to scope tokens to specific indexes. For example, give the web team a token restricted to web_* and the security team a token restricted to security_* to keep each team’s data separate.Use wildcards to match multiple indexes. Leave blank to allow all. | dev_* |
| Fields | Extra fields to add to each event referencing this token. Use this to stamp events with metadata that you can later search by. In Value, enclose JavaScript expressions in backticks ` `. | Field name: fullSourceValue: `${host}:${source}` |
Set Up Encryption
Use TLS encryption to protect your data in transit between upstream Splunk HEC senders and your Cribl Search Source.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS Version | When to Use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
Select Save to create the Source.
2. Set Datatype Rules
Configure Datatype rules to parse, filter, and normalize your data into structured fields. We call this process Datatyping.
On the Cribl.Cloud top bar, select Products > Search > Data > Datatyping (auto). Here, you can:
- Use Auto-Datatyping to parse your data automatically.
- Check for uncategorized data that didn’t match any Datatype rules.
- Handle the uncategorized data by adding custom Datatype rules.
See also:
- Datatypes in Cribl Search
- v2 Datatypes in Cribl Search
- List of Stock v2 Datatypes
- Add a Custom v2 Datatype
3. Set Dataset Rules
Configure Dataset rules to organize the parsed events into Datasets. This also determines how long the data is kept, as each Dataset has its own retention period.
On the Cribl.Cloud top bar, select Products > Search > Data > Datasets: Organize Your Data, and see Organize Your Data for details.
4. Set Up Your HEC Client
Configure your upstream Splunk HEC client to send data to Cribl Search.
You’ll need these details from your Source configuration:
| Name | Example |
|---|---|
| Address | search.main.foo-bar-abc123.cribl.cloud |
| Port | 8088 (default) |
| Splunk HEC endpoint | /services/collector |
| Token / Auth Token | 420 |
To find these for an existing Source: On the Cribl.Cloud top bar, select Products > Search > Data > Sources, and select your Source.
Example Request (Splunk HEC > Cribl Search)
Replace the example address (search.main.foo-bar-abc123.cribl.cloud) and port (if you changed the default 8088) with
your Source values.
curl -k "https://search.main.foo-bar-abc123.cribl.cloud:8088/services/collector" \
-H "Authorization: your_token" \
-d '{"event": "Goats are better than ponies."}{"event": "Goats are better climbers."}{"event": "Goats are great yoga buddies.", "nested": {"horns": "Two is better than one!"}}'Without TLS, use http instead of https.
curl -k "https://search.main.foo-bar-abc123.cribl.cloud:8088/services/collector/health"Without TLS, use http instead of https.
5. See Live Data Flow
Verify that events are successfully flowing from Splunk into Cribl Search.
On the Cribl.Cloud top bar, select Products > Search > Data > Live Data.
Here, check for your Splunk HEC Source. For details, see See Live Data Flow.
Next Steps
Now that your data is in Cribl Search, you can start using it. For example: