1. Splunk Enterprise Documentation
Getting Data In Manual
"Set up and use HTTP Event Collector in Splunk Web": This document specifies the different HEC endpoints. It states
"The two types of HEC endpoints are the /services/collector/event endpoint
for JSON-formatted events
and the /services/collector/raw endpoint
for raw text." This confirms that the provided JSON data is intended for an endpoint under the /services/collector path and that the /raw endpoint is incorrect.
2. Splunk Enterprise Documentation
REST API Reference Manual
"data/inputs/http": This reference describes the endpoints for managing HEC tokens. It states
"Use this endpoint to create
view
and edit HTTP Event Collector tokens." This confirms that the data/inputs/http path (options A and D) is for configuration
not data ingestion.
3. Splunk Enterprise Documentation
Getting Data In Manual
"Format events for HTTP Event Collector": This section details the required JSON wrapper for the /event endpoint. It clarifies that structured JSON like the example is the intended format for the event collector
distinguishing it from the /raw endpoint. The base path for this functionality is services/collector.
