How to configure Splunk HEC as a Notification Webhook Target

Question

I’m attempting to send Cribl Stream notifications for one of my sources via HEC to Splunk. I’ve configured the Webhook target with the url to my Splunk instance’s HEC endpoint with the token in the url. However, I see Status Codes of 400 and the following message in Stream: text:Query string authorization is not enabled. How do I properly configure the notification target to send via HEC to Splunk?

Johan Woger · Answer

By default, splunk does not allow query string auth for your configured tokens, which means that you cant just simply include the token in the url. In order for this to work you will have to manually edit inputs.conf on your splunk instance and add the following attribute to each individual token stanza that you want to use.

[token_name_stanza]
allowQueryStringAuth = true

Restart splunk and your notifications should now post correctly to that token. If you are still having issues you can check splunks introspection index for errors related to the token. Also, make sure that if the token you are using is not configured with a default index, that you are passing an index value along with the event.

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded