Splunk HEC Key: This is the HEC token that can be found in Splunk Enterprise → Settings → Data Input → HTTP Event Collector - Enter the HEC token for the HEC endpoint you want to use.
Splunk HEC URL: This is the URL of the Splunk
That you are sending the data to. It must include http:// or https:// at the start and be a correct URL (example http://server.domainname.com:8088
It also needs to include the HEC ports (default: 8088) and can be found in the HEC settings
Splunk Enterprise → Settings → Data Input → HTTP Event Collector → Global Settings → HTTP Port Number.
If you are using SSL to connect from SAP → Splunk, you must ensure that:
· The URL you enter here matches the CN in the certificate loaded in to the HEC endpoint, by default this is not true, Splunk comes delivered with a self signed certificate with CN=SplunkDefaultCert. This will not pass validation inside SAP.
· This URL must be contactable from the SAP application server. You can test this using curl (unix/linux), or Invoke-WebRequest (Windows/PowerShell) to ensure SAP and connect successfully to the HEC endpoint and ensure there are no port blocks in place.
· Ensure the HEC endpoint certificate (if it is self-signed) or the intermediate & root signed certificates in the HEC endpoint chain are loaded in to SAP.
If you want to send the data to multiple Splunk HEC endpoints, you can specify them comma delimited, however:
· there must be the same number of HEC endpoints configured as HEC tokens
· They must all use the same index name, and sourcetype
Example config for multiple HEC endpoints
HEC Url: http://server1.example.com:8088,http://server2.example.com:8088,http://server3.example.com:8088;
This configuration will load balance the data across all 3 servers
This is the index in which the agent will store the data. You can specify only 1 (one) index, even if you have multiple HEC endpoints.
This is the sourcetype the data is tagged with when sent to Splunk, do not change this value.