How to configure Splunk HEC as a Notification Webhook Target

I’m attempting to send Cribl Stream notifications for one of my sources via HEC to Splunk. I’ve configured the Webhook target with the url to my Splunk instance’s HEC endpoint with the token in the url. However, I see Status Codes of 400 and the following message in Stream: text:Query string authorization is not enabled. How do I properly configure the notification target to send via HEC to Splunk?

1 UpGoat

By default, splunk does not allow query string auth for your configured tokens, which means that you can’t just simply include the token in the url. In order for this to work you will have to manually edit inputs.conf on your splunk instance and add the following attribute to each individual token stanza that you want to use.

allowQueryStringAuth = true

Restart splunk and your notifications should now post correctly to that token. If you are still having issues you can check splunk’s introspection index for errors related to the token. Also, make sure that if the token you are using is not configured with a default index, that you are passing an index value along with the event.

1 UpGoat