Generate a JWT token to begin collecting third-party logs via HTTP event collection, and forward the log data to TrendAI Vision One™ for analysis and correlation or compliance purposes.
Procedure
- Go to .
- Create a new log repository or select an existing log repository.
- On the Log repository panel, go to the Collectors tab and click Add collector.The Add collector screen appears.
- Select the vendor, product, log format, and log timezone of the log source.
- Specify the collector name and description.
- Select HTTP event collection as the log ingestion method, and copy the appropriate endpoint URL for your third-party data source.
- Click Add.
- On the Generate JWT token screen, select the JWT token expiration and click Generate token.

Note
To manage JWT tokens for your third-party log collectors, go to and click Manage JWT tokens. - On the Copy JWT token screen, copy and save the token.
- Click Close.
- On the Log repository drawer on the Collectors tab, verify the information (including endpoint URL) under the collector you created.

Note
You can use the following API specifications to forward logs:-
Headers:HeaderValue for /rawValue for /hecDescriptionAuthorizationBearer <token>Splunk <token>Bearer <token>Splunk <token>Required. The JWT token generated during collector creation.Content-Typetext/plaintext/plainapplication/jsonapplication/x-ndjsonRequired. Currently, the /raw endpoint only accepts plain text content. The /hec endpoint accepts plain text, jason, and x-ndjson content.Content-Encodinggzipgzip
Optional. Currently, both endpoints only accept gzip content encoding while the payload is a gzip file. -
Request body:
-
For /raw endpoint: The payload body is treated as a text stream. Each line (separated by \n or \r\n) is ingested as a separate log entry.
-
For /hec endpoint: The payload body is treated as a single JSON object, array, or NDJSON (newline-delimited).
-
-
Examples:
-
For /raw endpoint:
curl -X POST 'https://<api-fqdn>/ingest/api/v1/third_party_log/raw' \ -H "Authorization: Bearer <TOKEN>" \ -H "Content-Type: text/plain" \ -d '<189>Feb 01 10:00:00 router-1 denied tcp src 10.0.0.1 <189>Feb 01 10:00:01 router-2 permitted tcp src 10.0.0.2'
-
For /hec endpoint (sending a JSON array log):
curl -X POST 'https://<api-fqdn>/ingest/api/v1/third_party_log/hec' \ -H "Authorization: Bearer <TOKEN>" \ -H "Content-Type: text/plain" \ -d '[{"timestamp": "2026-04-07T10:00:03Z", "msg": "json log line 1"},{"timestamp": "2026-04-07T10:00:05Z", "msg": "json log line 2"}]' -
For /hec endpoint (sending stacked JSON logs):
curl -X POST 'https://<api-fqdn>/ingest/api/v1/third_party_log/hec' \ -H "Authorization: Splunk <TOKEN>" \ -H "Content-Type: application/json" \ -d '{"timestamp": "2026-04-07T10:00:03Z", "msg": "json log line 1"}{"timestamp": "2026-04-07T10:00:05Z", "msg": "json log line 2"}'
-
-
