Enable the HTTP Event Collector in Splunk Web under Settings > Data Inputs > HTTP Event Collector; create a new token, assign it to the target index and a source type, and copy the generated token value
Send events by POSTing JSON to https://YOUR_SPLUNK_HOST:8088/services/collector/event with header Authorization: Splunk YOUR_HEC_TOKEN and body {"event": "your log line", "sourcetype": "myapp", "index": "main"}
Use the raw endpoint /services/collector/raw for sending newline-delimited plain text in bulk without JSON wrapping; the sourcetype and index are set by token configuration or query-parameter overrides
Batch multiple events in a single POST by concatenating JSON event objects (no array wrapper or commas between objects); HEC accepts up to 1 MB per request by default—this limit is configurable
Enable indexer acknowledgment on the token if you need at-least-once delivery: include the header X-Splunk-Request-Channel with a unique UUID, then poll /services/collector/ack with the returned ackId list to confirm indexing
For Splunk Cloud Platform, create HEC tokens via the Admin Config Service (ACS) API rather than Splunk Web UI to support automation and GitOps workflows
Known gotchas
HEC tokens are not scoped to sourcetype at the API level—a sender can override sourcetype per request; restrict to expected sourcetypes by enabling sourcetype allowlists in the token configuration
A 503 response from HEC means the indexer queue is full (the server is busy); implement exponential-backoff retry logic in your log shipper rather than dropping events on 503
The event timestamp defaults to ingest time if the time field is omitted; always include "time": UNIX_EPOCH_SECONDS in each event object to preserve the original event timestamp for accurate time-ordered search
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp