It also needs to include the HEC ports (default: 8088) and can be found in the HEC settings
Splunk Enterprise → Settings → Data Input → HTTP Event Collector → Global Settings → HTTP Port Number.
If you are using SSL to connect from SAP → Splunk, you must ensure that:
· The URL you enter here matches the CN in the certificate loaded in to the HEC endpoint, by default this is not true, Splunk comes delivered with a self signed certificate with CN=SplunkDefaultCert. This will not pass validation inside SAP.
· This URL must be contactable from the SAP application server. You can test this using curl (unix/linux), or Invoke-WebRequest (Windows/PowerShell) to ensure SAP and connect successfully to the HEC endpoint and ensure there are no port blocks in place.
· Ensure the HEC endpoint certificate (if it is self-signed) or the intermediate & root signed certificates in the HEC endpoint chain are loaded in to SAP.
If you want to send the data to multiple Splunk HEC endpoints, you can specify them comma delimited, however:
· there must be the same number of HEC endpoints configured as HEC tokens
· They must all use the same index name, and sourcetype