Add a Splunk platform HEC destination

  1. In the Edge Processor service, select Destinations.
  2. On the Destinations page, select New destination, then Splunk platform using HEC.
  3. Provide a name and description for your destination.
    Field Description

    Name

    A unique name for your destination

    Description

    (Optional) A description of your destination

  4. In the HEC URI field, enter one of these values:
    • The HEC URI of the Splunk platform instance that you want to send data to. This URI must point to the services/collector HEC endpoint.
    • The URL of a load balancer or DNS that you're using to send data to multiple Splunk platform instances.

    The HEC URI or URL must start with https instead of http if any of the following conditions are true:

    • You want the Edge Processor to verify the identity of the Splunk platform instance, load balancer, or DNS using TLS.
    • You're sending data to a Splunk Cloud Platform indexer. Splunk Cloud Platform indexers always require TLS.
    • You're sending data to a Splunk Enterprise indexer that uses mTLS and requires the Edge Processor to prove its identity using TLS certificates.
  5. In the Default HEC token field, enter the value of a HEC token from your Splunk platform deployment. This HEC token is used only when the Edge Processor is sending out data that is not already associated with a HEC token.
  6. (Optional) Provide default values for the metadata fields in the events that are sent through this destination. These values are used only if the events do not already contain source, sourcetype, or index values.
    Field Description

    Default source

    The name of the source from which the event originates.

    Default source type

    A value that identifies the data structure of the event.

    Default index

    The name of the Splunk index that the Edge Processor sends the event to.

  7. If you're sending data to a Splunk instance that doesn't use mTLS, then skip this step. If you're sending data to a Splunk Enterprise indexer that uses mTLS, then do the following:
    1. Select Authenticate identity using TLS certificates.
    2. Upload the appropriate private key and certificates in these fields:
      Field Description

      Client private key

      A PEM file containing the decrypted private key associated with your client certificate

      Client certificate

      A PEM file containing a client certificate

      CA certificates

      The CA certificates used to verify the indexer

  8. To finish adding the destination, select Add.

You now have a destination that you can use to send data from an Edge Processor to one or more Splunk platform instances using HEC.

To start sending data, create a pipeline that uses the destination you just added and then apply that pipeline to your Edge Processor. For more information, see Create pipelines for Edge Processors and Apply pipelines to Edge Processors.