Skip to main content
Skip table of contents

Creating an event in Splunk

This documentation references external sources. Nexthink does not have control over the accuracy of third-party documentation, nor any external updates or changes that might create inconsistencies with the information presented on this page. Please report any errors or inconsistencies to Nexthink Support.

This document demonstrates how to configure Nexthink Webhook to send out an event to HTTP Event Collector (HEC) in Splunk.

In Splunk

Complete the following steps to send data to Splunk HTTP Event Collector:

  1. Log in to your Splunk server.

  2. Go to Settings, then Data Inputs, then HTTP Event Collector and select Global Settings.

  3. Edit the Global Settings:

    1. Click the Enabled button for the All Tokens option.

    2. If you want to send data to Splunk via HTTPS, click the Enable SSL checkbox. You must configure the Data Streamer to use Transport Layer Security (TLS). Refer to the Securing communications between the Data Streamer and its subscribers documentation on the IBM website for more information.

    3. In the HTTP Port Number field, specify the port number for the HEC to listen to.

    4. Click Save.

  4. Go to Settings then Data Inputs.

  5. Click +Add New in the HTTP Event Collector row to create a new HEC token.

    1. In the Name field, specify a name for the HEC token.

    2. If you want to replace the source name for events that this input generates, specify the value in the Source name override field.

    3. Click Next.

    4. In the Index section, select the index in which Splunk stores the HEC event data. We suggest using a test index to verify your data before pushing it to a production index.

For Webhook information to be sent out successfully into Splunk using HEC, make sure that the Enable indexer acknowledgement property is not selected. If you leave it selected, the system requires a custom header (X-Splunk-Request-Channel) which Webhooks does not currently support.
Refer to the HEC indexer acknowledgement documentation on the Splunk website for more information.

In Nexthink

Step 1 - Configure Credentials

Create a new credential with Bearer Token as an authentication mechanism.

Configure credentials

It is important to mark Splunk as the header prefix, otherwise the requests won’t be processed.

Step 2 - Configure Webhook

Create a new webhook of the Alert or Event type with the following values:

Credentials: the credential alias created in Step 1

Method: POST

Resource: services/collector

Payload:

CODE
{
 "time": {{device_performance.crashes.time}},
 "index":"main",
 "event": "metric",
  "source": "metrics",
  "sourcetype": "perflog",
  "host": "host_1.splunk.com",
  "fields": {
    "region": "us-west-1",
    "datacenter": "dc2",
    "rack": "63",
    "Crashes count": "{{device_performance.crashes.count}}",
    "Crashes error code": "{{device_performance.crashes.error_code}}",
    "Crashes label": "{{device_performance.crashes.label}}"
  }
}

Some of the properties that are included in the payload can be added as Query parameters.

For instance, you can specify index as a query parameter in the Resource as follows:

Resource: services/collector?index=main

Step 3 - Check the results

Once you have executed the webhook, you can find the event in Splunk by using the Search tab.

Search in Splunk

Depending on which condition you specify to search the events, the results will look similar to this:

Search results in Splunk

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.