Splunk HEC Source Endpoints (re /services/collector/s2s)

[rdpsky]

Is there a reason why Vector Splunk HEC Source does not implement the /services/collector/s2s endpoint that the Splunk Universal Forwarder 'httpout' (in outputs.conf) uses.

The Vector docs DO state this.

This source exposes three HTTP endpoints at a configurable address that jointly implement the Splunk HEC API: /services/collector/event, /services/collector/raw, and /services/collector/health.

But this more-or-less precludes using the Splunk UF as a source for Vector HEC Source. I wonder why?

This can be demonstrated using examples from Splunk. (Vector Splunk HEC is listening on 8080)

splunk@:$ curl -H "Authorization: Splunk 400c4a05-47ef-45c6-aff5-9d83811f5a30" http://x.x.x.x:8080/services/collector/event -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}';echo
{"text":"Success","code":0}

splunk@$ curl -H "Authorization: Splunk 400c4a05-47ef-45c6-aff5-9d83811f5a30" http://x.x.x.x:8080/services/collector/s2s -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}';echo
HTTP method not allowed

I have suspicions as to why this 'disparity' might exist, but I am sure there must be a technical reason, or perhaps there has not been time to implement it yet?

PS. Splunk reference for endpoins
https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/HECRESTendpoints

[jszwedko]

Hi @rdpsky !

The s2s endpoint uses a proprietary binary format that Vector, at least currently, does not support receiving.

This example:

splunk@$ curl -H "Authorization: Splunk 400c4a05-47ef-45c6-aff5-9d83811f5a30" http://x.x.x.x:8080/services/collector/s2s -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}';echo
HTTP method not allowed

Would not be valid even if Vector did support that endpoint as the incoming data isn't in raw JSON, it is in Splunk binary "cooked format".

Hopefully that makes sense. We are tracking support for the "cooked format" here, #3848, if you want to follow for any updates!