Import Existing Splunk HEC's to Cribl Stream

Dinesh · February 20, 2023, 12:40pm

Hi All,
Quite new to Cribl. We have existing Splunk Heavy Forwarders which are handling Splunk HEC requests. We are in process to replace HF instances with Cribl stream and we have around 200 HEC tokens active.
is there any process to export these HEC Configurations (HEC Token, Name, Index, Sourcetype etc) to Cribl directly?
TIA.

RicoSuave · February 20, 2023, 5:42pm

Hi dinesh, there isn’t an easy button to import these. however, after you configure one hec input for your worker group, you can look at the resulting conf file and probably figure out a way to script the input creation by using our inputs api located here: Cribl API | Cribl Docs

rfranz_cribl · February 20, 2023, 6:53pm

Hi Dinesh
If you know Python, you can build a script using our Python API wrapper to create the HEC inputs in Stream:

There’s a function called create_splunkhec_source, which is defined as:

def create_splunkhec_source(base_url, cribl_auth_token, source_id, host, port, splunk_hec_api, disabled=False,
                            pipeline=None,
                            send_to_routes=True,
                            persistent_queue_enabled=False,
                            streamtags=None,
                            environment=None,
                            connections=None,
                            pq=None,
                            auth_tokens=None,
                            tls=None,
                            max_active_req=1000,
                            enable_proxy_header=False,
                            capture_headers=False,
                            activity_log_sample_rate=100,
                            request_timeout=0,
                            metadata=None,
                            allowed_indexes=None,
                            splunk_hec_acks=False,
                            breaker_rulesets=None,
                            stale_channel_flush_ms=10000,
                            worker_group=None
                            ):

Note that the first six parameters in this function are mandatory. Everything else uses default values in line with the API documentation.

For example, if you wanted to set index, source, and sourcetype when creating the HEC input via this function, you would create a list of dictionaries (dicts), such as:

metadata = [{
    "name": "index",
    "value": "'my_test_index'"
}, {
    "name": "source",
    "value": "'event_source'"
}, {
    "name": "sourcetype",
    "value": "'event_sourcetype'"
}]

Then call the function as follows:

response = create_splunkhec_source(base_url, cribl_auth_token, 
                                   source_id="splunk_hec_source", 
                                   host="localhost",
                                   port=22002, 
                                   splunk_hec_api="/services/collector", 
                                   metadata=metadata, 
                                   worker_group=worker_group)

You can see these fields in the new Splunk HEC source in the UI:

Hope this helps!