Add a Splunk HEC Source for Cribl Search
Collect data sent using the HTTP/HTTPS protocols, including from the Splunk Universal Forwarder, so you can search it fast.
What’s a Splunk HEC Source in Cribl Search?
A Cribl Search data source that receives events from Splunk senders over HTTP or HTTPS using the Splunk HTTP Event Collector (HEC) API and stores them in a lakehouse engine for fast access.
Looking for the Splunk HEC Source in Cribl Stream? See Splunk HEC Source in Cribl Stream.
What You Need First
To set up this Source, you need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. Get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
You don’t need Cribl Stream, Edge, or Lake.
Add a Splunk HEC Source for Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > Splunk HEC.
1. Describe Your Source
Under General, give your Source an ID and Description, so you and other Search Admins know what the Source is for and if it’s safe to modify.
The ID must be unique across your Workspace and can contain letters, numbers, underscores, and hyphens. Cribl Search
prefixes it with in_ on save (for example, splunk_hec becomes in_splunk_hec).
2. Note the Source Endpoint
Under General, note down the Address and Port. You’ll need them to configure your Splunk HEC sender to send data here.
Keep the default port unless it conflicts with another service.
3. Set the Splunk HEC Endpoint
Under General, set Splunk HEC endpoint to the absolute path on which to listen for Splunk HTTP Event Collector API requests.
The following endpoints are supported:
/services/collector(default)/event/raw/s2s
4. Set Up Encryption
TLS encryption protects your data in transit between upstream Splunk HEC senders and this Source.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS version | When to use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
5. Set Up Authentication
Authentication ensures only authorized senders can push data to your Source.
Under Authentication, select Add Token, and configure:
- Token secret (text secret): Select a stored text secret that holds the token, or choose Create to add a new one (see Create and Manage Secrets).
- Enable token: Turn on to require this token for incoming requests to your Source. Disable only when testing without authentication.
Next Steps
Confirm with Save. Now, you’re ready to:
- Set Datatype rules for parsing your data. See Shape Your Data.
- Set Dataset rules for organizing your data. See Organize Your Data.
- Configure your Splunk HEC sender to send data to the Source endpoint.