Alerting

How to resolve splunkd error when sending Meraki Alerts to Splunk HTTP Event Collector Endpoint?

developmenttool
Loves-to-Learn Lots

I am trying to send Meraki Alerts to Splunk HEC Endpoint.

Please refer this URL to understand how we send Meraki alerts to receiving services. https://developer.cisco.com/meraki/webhooks/#!introduction/overview

I need to specify the Splunk endpoint and the shared secret in the Meraki webhook alert page as expected by Meraki. And here are the following details"

Webhook URL: Splunk Public Endpoint DNS(Backend will be heavy forwarder:8088)/services/collector/raw
Shared Secret: HEC token in that Heavy forwarder

Now when I hit the test option, the Meraki alerts are not flowing into Splunk and on detailed log Splunk analysis, we get the below error in our splunkd.log:

06-03-2020 17:12:23.556 +0200 ERROR HttpInputDataHandler - Failed processing http input, token name=n/a, channel=n/a, source_IP=****, reply=2, events_processed=0, http_input_body_size=878

I could see that Meraki is not able to send the shared secret key with Splunk token embedded and hence failing.
Any suggestion on fixing this would be of great help.

Labels (1)
0 Karma

ansif
Motivator

@developmenttool : Is this issue resolved? May I know how you ended up this integration?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...