Creating an event in Splunk

This documentation references external sources.

Nexthink does not control the accuracy of third-party documentation or external updates that can result in inconsistencies.

Report any errors or inconsistencies to Nexthink Support.

This document demonstrates how to configure Nexthink Webhook to send out an event to HTTP Event Collector (HEC) in Splunk.

In Splunk

Complete the following steps to send data to Splunk HTTP Event Collector:

  1. Log in to your Splunk server.

  2. Go to Settings, then Data Inputs, then HTTP Event Collector and select Global Settings.

  3. Edit the Global Settings:

    • Click the Enabled button for the All Tokens option.

    • If you want to send data to Splunk via HTTPS, click the Enable SSL checkbox. You must configure the Data Streamer to use Transport Layer Security (TLS).

    • In the HTTP Port Number field, specify the port number for the HEC to listen to.

    • Click Save.

  4. Go to Settings then Data Inputs.

  5. Click Add New in the HTTP Event Collector row to create a new HEC token.

    • In the Name field, specify a name for the HEC token.

    • If you want to replace the source name for events that this input generates, specify the value in the Source name override field.

    • Next, in the Index section, select the index in which Splunk stores the HEC event data. We suggest using a test index to verify your data before pushing it to a production index.

To send webhook information into Splunk using HEC, you cannot select the Enable indexer acknowledegment.

To leave the Enable indexer acknowledgement selected by default, the system requires a custom header (X-Splunk-Request-Channel) which Webhooks does not support.

Refer to the HEC indexer acknowledgement Splunk documentation for more information. Alternatively, you can use a URL query parameter instead.

In Nexthink

From the Nexthink web interface:

Configuring a connector credential for Splunk

From the connector credential configuration page, fill out the fields using the information from the connection you created in Splunk.

  1. Choose the HTTPS option from the Protocol drop-down.

  2. Paste the root https://prdXXXXXXXX.splunkcloud.com:80XX into the URL address field.

  3. Choose the Bearer token option from the Authorization drop-down.

  4. Type in Splunk in the Header prefix field.

  5. Copy the HEC token from the Splunk connection and paste it into the Token field.

  6. Save the credential.

Configuring a webhook for Splunk

From the webhook configuration page, fill out the fields using the information from the connection you created in Splunk and the connector credential defined in Nexthink.

  1. Fill in the NQL Condition following the Configuring webhook NQL conditions documentation. See the query below.

device_performance.system_crashes
| list error_code, time, label
  1. Choose the connector credential you created for Splunk from the Credentials drop-down.

  2. Select the POST from the Method drop-down.

  3. Copy and paste into the Resources field, the URL endpoint from the Splunk connection without the URL address. For example: services/collector

  4. Add the message you want to send in Payload. See the example below.

    • Some of the properties included in the payload can be added as query parameters.

      For instance, you can specify index as a query parameter in the Resources field as follows: services/collector?index=main

{
  "time": {{device_performance.crashes.time}},
  "index":"main",
  "event": "metric",
  "source": "metrics",
  "sourcetype": "perflog",
  "host": "host_1.splunk.com",
  "fields": {
    "region": "us-west-1",
    "datacenter": "dc2",
    "rack": "63",
    "Crashes count": "{{device_performance.crashes.count}}",
    "Crashes error code": "{{device_performance.crashes.error_code}}",
    "Crashes label": "{{device_performance.crashes.label}}"
  }
}

Refer to the Configuring webhook fields: Method, Resource, and Payload to learn more about allowed placeholders for payloads.

  1. Sent test and verify the information appears in Splunk. See the image below.

    • Find the event in Splunk by using the Search tab.

Last updated

#451: 2024.8-Overview of integration DOC

Change request updated