https://community.splunk.com/t5/Dashboards-Visualizations/HTTP-Event-Collector-How-to-resolve-a-quot-401-Unauthorized-from/m-p/257013#M16116 <P>This appears to be a Splunk Cloud feature. It's listed on the Splunk Cloud inputs.conf docs at <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1612/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/6.5.1612/Admin/Inputsconf</A> but not the Splunk Enterprise inputs.conf docs at <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf</A> . Also see <A href="http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery">http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery</A> which explains that this currently offered in Splunk Cloud and Splunk Light Cloud.</P> Tue, 31 Jan 2017 17:16:35 GMT jtacy 2017-01-31T17:16:35Z https://community.splunk.com/t5/Dashboards-Visualizations/HTTP-Event-Collector-How-to-resolve-a-quot-401-Unauthorized-from/m-p/257012#M16115 <P>I have enabled allowQueryStringAuth as mentioned in <A href="http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery">http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery</A> and want to pass my token in the POST request like hxxp://192.168.2.1:8088/services/collector?token= however, i still get a 401 Unauthorized from Splunk.</P> <P>A splunk btool check --debug gives me:</P> <PRE><CODE>tmachielsen@TonsMacBookPro:~% /Applications/Splunk/bin/splunk btool check --debug Checking: /Applications/Splunk/etc/users/admin/search/local/ui-prefs.conf Checking: /Applications/Splunk/etc/users/admin/search/local/ui-tour.conf Checking: /Applications/Splunk/etc/users/admin/splunk_monitoring_console/local/ui-prefs.conf Checking: /Applications/Splunk/etc/users/admin/user-prefs/local/user-prefs.conf Checking: /Applications/Splunk/etc/apps/learned/local/props.conf Checking: /Applications/Splunk/etc/apps/search/local/indexes.conf Checking: /Applications/Splunk/etc/apps/search/local/inputs.conf Checking: /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 11: sourcetypeSelection (value: From List). Did you mean 'sourcetype'? Did you mean 'source'? Did you mean 'sourcetype'? Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 12: allowQueryStringAuth (value: true). Checking: /Applications/Splunk/etc/apps/splunk_instrumentation/local/telemetry.conf Checking: /Applications/Splunk/etc/apps/user-prefs/local/user-prefs.conf Checking: /Applications/Splunk/etc/apps/SplunkForwarder/default/app.conf </CODE></PRE> <P>Any idea what i do wrong?</P> <P>Splunk Light 6.5.2 on OSX.</P> Sat, 28 Jan 2017 16:35:53 GMT https://community.splunk.com/t5/Dashboards-Visualizations/HTTP-Event-Collector-How-to-resolve-a-quot-401-Unauthorized-from/m-p/257012#M16115 PepePelotas 2017-01-28T16:35:53Z https://community.splunk.com/t5/Dashboards-Visualizations/HTTP-Event-Collector-How-to-resolve-a-quot-401-Unauthorized-from/m-p/257013#M16116 <P>This appears to be a Splunk Cloud feature. It's listed on the Splunk Cloud inputs.conf docs at <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1612/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/6.5.1612/Admin/Inputsconf</A> but not the Splunk Enterprise inputs.conf docs at <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf</A> . Also see <A href="http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery">http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery</A> which explains that this currently offered in Splunk Cloud and Splunk Light Cloud.</P> Tue, 31 Jan 2017 17:16:35 GMT https://community.splunk.com/t5/Dashboards-Visualizations/HTTP-Event-Collector-How-to-resolve-a-quot-401-Unauthorized-from/m-p/257013#M16116 jtacy 2017-01-31T17:16:35Z