Enable HEC in Splunk Web under Settings > Data Inputs > HTTP Event Collector and create a new token, selecting a default index and source type
Send events via POST to 'https://<splunk_host>:8088/services/collector/event' with 'Authorization: Splunk YOUR_HEC_TOKEN' header and Content-Type: application/json
Construct the JSON body as '{"time": <epoch_float>, "host": "myhost", "source": "myapp", "sourcetype": "_json", "index": "main", "event": {"key": "value"}}' where 'event' contains the actual log or metric payload
For batch ingestion concatenate multiple JSON event objects (not a JSON array) in one request body, each on its own line or separated without commas, to the same endpoint
Verify ingestion by searching 'index=main source=myapp' in Splunk Search and confirm the HEC token's request count in the monitoring console
Known gotchas
HEC uses port 8088 by default (not 443 or 8000); network or firewall rules must allow this port, and TLS certificate validation failures are a common connection blocker
The 'event' field value can be a string or a JSON object, but if it is a string containing raw JSON, Splunk will index it as a string not as extracted fields — send a parsed object for field extraction
Acknowledgment mode (indexer acknowledgment) requires the HEC token to have it enabled and requires a separate ACK polling call; without it, a 200 response does not guarantee events are indexed
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp