Skip to main content

Send events with HEC

You can send events to Imply Lumi using the HTTP event collector (HEC). This integration is compatible with the Splunk® OpenTelemetry (OTel) collector. You can also push events to a HEC endpoint directly using your application of choice to send HTTP requests, such as curl. The following diagram shows a high-level overview of the HEC integration:

Imply Lumi HEC

For other approaches to send events to Imply Lumi, see Send events.

This topic provides details on configuring event forwarding using HEC.

Prerequisites

To send events to Imply Lumi using HEC, you need the following:

  • An Imply Lumi user with the Data manager role or higher. For information on roles and permissions, see Manage roles.
  • An Imply Lumi IAM key. See Create an IAM key for details.

Set HEC attributes

When sending events with HEC, the IAM key authenticates connections to send events to Imply Lumi. If you assign any global or HEC-specific attributes to the key, Imply Lumi enriches incoming events with those values. On the IAM key, you also assign the index to associate with incoming events.

Note that user attributes derived from raw events and upstream agents take precedence over any attributes you set on IAM keys in Imply Lumi.

You can configure the following attributes on an IAM key. These attributes apply to events sent over HEC.

  • Source: Origin of the events sent to Imply Lumi.
    Default: http:IAM_KEY_NAME. For example, http:demo-key.
  • Source type: Type of event data.
    Default: httpevent
  • Default index: Repository for incoming events.
    Default: Imply Lumi server default index. For example, main.
  • Allowed indexes: Comma-separated list of allowed values for the index field.
    Default: All indexes are allowed.
Default source

The default source associated with an IAM key follows the default source name assignment in Splunk—http:TOKEN_NAME. However, note that HEC token names are unique in Splunk but don't need to be unique in Imply Lumi.

For more information on attributes that enrich events, see Event model. For reference information on IAM key attributes, see IAM keys.

Configure event forwarding

Before configuring event forwarding, access the HEC integration page in Imply Lumi. Select your IAM key. The page populates with endpoint and IAM key information required to authenticate the connection.

Configure your event forwarding mechanism to export to Imply Lumi. You can use any application compatible with HTTP specifications. Supply the IAM key token and endpoint provided by Imply Lumi.

After you create or select an IAM key, Imply Lumi populates the details in Configure event forwarding with your specific IAM key token and Imply Lumi endpoint.

Imply Lumi also provides a POST request that you can use to send events over HTTP with curl.

The following examples use these values:

  • IAM_KEY_TOKEN: IAM key token provided by Imply Lumi. For example, 229a2561-0000-0000-0000-bc433de16f89.
  • LUMI_ENDPOINT: Your Imply Lumi endpoint. For example, https://splunk-hec.api.lumi.imply.io/services/collector.

Example with OTel collector

The Splunk OTel collector can send events to Imply Lumi and Splunk using the splunk_hec exporter.

If you already use the Splunk OTel collector to forward data to Splunk, the exporters section in your configuration may read as:

exporters:
  splunk_hec/logs:
    <existing Splunk exporter>

To forward events to both Splunk and Imply Lumi, update exporters to include Imply Lumi:

exporters:
  splunk_hec/logs:
    <existing Splunk exporter>
  splunk_hec/logs_lumi:
    token: "IAM_KEY_TOKEN"
    endpoint: "LUMI_ENDPOINT"

You also need to add the new exporter in service.pipelines.logs.exporters:

service:
  ...
  pipelines:
    logs:
      receivers: ...
      processors: ...
      exporters: [splunk_hec/logs, splunk_hec/logs_lumi]

The name of an OTel collector exporter follows the format TYPE/NAME, where the name uniquely identifies the component. The preceding description uses the logs_lumi name, but you can customize it to your preference.

The following example shows the relevant stanzas of a Splunk OTel collector configuration:

...

exporters:
  splunk_hec/logs:
    <existing Splunk exporter>
  splunk_hec/logs_lumi:
    token: "229a2561-0000-0000-0000-bc433de16f89"
    endpoint: "https://splunk-hec.api.lumi.imply.io/services/collector"

...

service:
  ...
  pipelines:
    logs:
      receivers: ...
      processors: ...
      exporters: [splunk_hec/logs, splunk_hec/logs_lumi]

For an end-to-end tutorial on sending events to Imply Lumi with the OTel collector, including how to parse data using regular expressions, see Send data to Imply Lumi using OpenTelemetry.

For more information on configuring an exporter with the OTel collector, see the Splunk documentation on Splunk HEC exporter.

Example with curl

You can send events using HTTP POST requests, such as in the following curl command:

curl -X POST \
     -H "Content-Type: application/json" \
     -H "Authorization: Splunk IAM_KEY_TOKEN" \
     -d '{ "event": "test-event", "source": "curl", "sourcetype": "test" }' \
  LUMI_ENDPOINT

The event key is required. You can add user attributes using the fields key, such as the attributes key1 and key2 in the following example.

curl -X POST \
     -H "Content-Type: application/json" \
     -H "Authorization: Splunk 229a2561-0000-0000-0000-bc433de16f89" \
     -d '{ "event": "Demo log", "fields": {"key1": "value1", "key2": ["value2", "value3"]}, "index": "demo", "source": "curl", "sourcetype": "manual" }' \
  https://splunk-hec.us1.api.lumi.imply.io/services/collector

Check Imply Lumi for events

Once you configure event forwarding and send events, you can preview the incoming data in Imply Lumi:

  1. Click Integrations in the navigation menu.

  2. Click HEC.

  3. Click View instructions.

  4. In Select or create an IAM key, select your key.

  5. In Preview incoming data, you'll see the events coming in to Imply Lumi. For example:

    HEC integration

    Imply Lumi automatically refreshes the preview pane to display the latest events. If you don't see any incoming data, check the details in your curl request or OTel config file.

  6. Click Go to explore view to see more events associated with the IAM key. The Explore view populates the search bar with your IAM key ID and the HEC receiver type. For example:

    #iamKeyId=3e99daf3-8266-4017-9323-1aa2b41d62ba #receiver=splunk.hec

    Adjust the time filter to choose the range of data displayed.

Once events start flowing into Imply Lumi, you can search them. See Search for events with Imply Lumi for details and information on supported search syntax.

Learn more

See the following topics for more information: