We have updated our Terms of Service, Code of Conduct, and Addendum.

How to configure Splunk HEC as a Notification Webhook Target

Jeremy Prescott
Jeremy Prescott Posts: 33 ✭✭

I’m attempting to send Cribl Stream notifications for one of my sources via HEC to Splunk. I’ve configured the Webhook target with the url to my Splunk instance’s HEC endpoint with the token in the url. However, I see Status Codes of 400 and the following message in Stream: text:Query string authorization is not enabled. How do I properly configure the notification target to send via HEC to Splunk?

Best Answer

  • Johan Woger
    Johan Woger Posts: 16
    Answer ✓

    By default, splunk does not allow query string auth for your configured tokens, which means that you cant just simply include the token in the url. In order for this to work you will have to manually edit inputs.conf on your splunk instance and add the following attribute to each individual token stanza that you want to use.

    [token_name_stanza]
    allowQueryStringAuth = true

    Restart splunk and your notifications should now post correctly to that token. If you are still having issues you can check splunks introspection index for errors related to the token. Also, make sure that if the token you are using is not configured with a default index, that you are passing an index value along with the event.

Answers

  • Johan Woger
    Johan Woger Posts: 16
    Answer ✓

    By default, splunk does not allow query string auth for your configured tokens, which means that you cant just simply include the token in the url. In order for this to work you will have to manually edit inputs.conf on your splunk instance and add the following attribute to each individual token stanza that you want to use.

    [token_name_stanza]
    allowQueryStringAuth = true

    Restart splunk and your notifications should now post correctly to that token. If you are still having issues you can check splunks introspection index for errors related to the token. Also, make sure that if the token you are using is not configured with a default index, that you are passing an index value along with the event.