Connectors / Service / Splunk HTTP Event Collector

Splunk HTTP Event Collector

Splunk HTTP Event Collector

The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols.


Splunk HTTP Event Collector (HEC) is a fast and efficient way to send data to Splunk Enterprise and Splunk Cloud. Notably, HEC enables you to send data over HTTP (or HTTPS) directly to Splunk Enterprise or Splunk Cloud from your application. HEC was created with application developers in mind, so that all it takes is a few lines of code added to an app for the app to send data.

API INFO: The Base URL used for the splunk-http-event-collector connector is [protocol]://[host]:[port]. More information can be found on their main API documentation (v8.2) site.
PLEASE NOTE: The base URL for the Splunk HEC API is specific to your account and it is one of the required authentication params. For more info about it, please, check the authentication section below.


Within the workflow builder, highlight the Splunk HTTP Event Collector connector.

In the Splunk HTTP Event Collector connector properties panel to the right of the builder, click on the Authenticate tab and the 'New authentication' button.

This will result in a authentication pop-up modal. The first page will ask you to name your authentication and select the type of authentication you wish to create ('Personal' or 'Organisational').

The next page asks you for your 'HTTP Event Collector URI', 'HTTP Event Collector token', and permission to 'Disable SSL validation'.

IMPORTANT!: The Splunk Web enables users to create and use Self Signed Certificates for their instances. The user will also be able to get certificates signed by a third party for Splunk Web. A request made through an instance that uses Self Signed SSL certificates is considered "untrusted", and the connector would throw an error. The Splunk HEC connector gives the possibility to send API requests even if using Self Signed Certificates. To do that, ensure that the 'disable SSL validation' box is flagged during the auth process.

In order to get these fields, head to your Splunk Instance dashboard.

Your 'HTTP Event Collector URI' has a specific format depending on the type of account you have.

For example, if you have a Splunk Cloud account then the URI is of format: <protocol>://http-inputs-<host>:<port>/<endpoint>.


  • protocol: is either http or https.
  • host: is your Splunk instance that runs HEC.
  • port: is the HEC port number. It depends on your type of account and defaults on 8000.
  • endpoint: Your can get the endpoint from the URL of your Splunk instance page:

For more information on URI formats for different types of account refer to the Send data to HTTP Event Collector section of the Splunk document.

To get the 'HTTP Event Collector token', head to your Splunk instance dashboard and navigate to Settings > 'Data inputs'.

On the Data inputs page, you can select one of your available Data inputs.

Once selected, you will be redirected to the HTTP Event Collector page. You will get the HEC token related to the selected data input on this page.

Once you have added these fields to your authentication pop-up window, click the 'Create authentication' button.

Go back to your settings authentication field (within the workflow builder properties panel), and select the recently added authentication from the dropdown options now available.

Your connector authentication setup should now be complete.

Available Operations

The examples below show one or two of the available connector operations in use.

Please see the Full Operations Reference at the end of this page for details on all available operations for this connector.

BEST PRACTICES: Whenever you do decide to create your own workflow, please make sure you take a look at our Managing data best practices guide.

All Operations

Latest version: