https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395617#M99274 <P>You should always <EM>ALWAYS</EM> specify <CODE>input=</CODE> in your search string. NEVER EVER rely on <CODE>indexes searched by default</CODE> because this can change arbitrarily at any moment. So if you are specifying <CODE>index=summary</CODE> in your HEC token definition and the events show up when you do <CODE>index=summary</CODE> then you actually do not have a problem. Is this your situation?</P> Mon, 15 Jul 2019 19:35:32 GMT woodcock 2019-07-15T19:35:32Z https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395611#M99268 <P>Hi,</P> <P>I've created my Data Input, enabled what needs to be enabled. The PUT works, and I get a Success response. However, when I try to search the activity logs using: source="http:", I get ZERO results. </P> <P>curl -k :8088/services/collector -H "Authorization: Splunk XXXXXXXXXXXXXXXXX" -d '{"event": "hello world"}'</P> <P>{"text":"Success","code":0}</P> Fri, 12 Jul 2019 14:58:55 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395611#M99268 codysysdig 2019-07-12T14:58:55Z https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395612#M99269 <P>What is the sourcetype you configured for HEC input ?</P> Fri, 12 Jul 2019 15:11:18 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395612#M99269 harsmarvania57 2019-07-12T15:11:18Z https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395613#M99270 <P>At first, I did not select one. Then I set it to _json, either way, I dont get results back on the search. </P> Fri, 12 Jul 2019 15:46:28 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395613#M99270 codysysdig 2019-07-12T15:46:28Z https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395614#M99271 <P>Does the <CODE>index</CODE> value tied to your HEC token actually exist? Are you doing an <CODE>All time</CODE> search on your sourcetype (sometimes events get mis-timestamped and end up in the future or way in the past)?</P> Sat, 13 Jul 2019 22:18:18 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395614#M99271 woodcock 2019-07-13T22:18:18Z https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395615#M99272 <P>Yes, I've tried changing the time scale. </P> <P>What I dont understand is why I can not see anything with source="http:inputname" but when I add index="summary", I can see my manual PUTs</P> Mon, 15 Jul 2019 17:34:39 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395615#M99272 codysysdig 2019-07-15T17:34:39Z https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395616#M99273 <P>Can you please change sourcetype from <CODE>_json</CODE> to <CODE>json_no_timestamp</CODE> and try again?</P> Mon, 15 Jul 2019 17:41:36 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395616#M99273 harsmarvania57 2019-07-15T17:41:36Z https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395617#M99274 <P>You should always <EM>ALWAYS</EM> specify <CODE>input=</CODE> in your search string. NEVER EVER rely on <CODE>indexes searched by default</CODE> because this can change arbitrarily at any moment. So if you are specifying <CODE>index=summary</CODE> in your HEC token definition and the events show up when you do <CODE>index=summary</CODE> then you actually do not have a problem. Is this your situation?</P> Mon, 15 Jul 2019 19:35:32 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395617#M99274 woodcock 2019-07-15T19:35:32Z https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395618#M99275 <P>Hi @codysysdig </P> <P>If you are sending the events via HEC curl then you can search the events from that particular HEC token via:</P> <P>Query:<BR /> source="http:https input name"</P> <P>Example: <BR /> If you have created HEC token with name "test123" and you are sending any event via mentioning the token ID in curl command then you can search event for test123 via :</P> <P>source="http:test123"</P> <P>Thanks,<BR /> Dixit</P> Thu, 25 Jul 2019 04:55:38 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-Post-to-HEC-Splunk-Cloud-not-working/m-p/395618#M99275 dhihoriya_splun 2019-07-25T04:55:38Z