Alerting

How to resolve splunkd error when sending Meraki Alerts to Splunk HTTP Event Collector Endpoint?

Loves-to-Learn Lots

I am trying to send Meraki Alerts to Splunk HEC Endpoint.

Please refer this URL to understand how we send Meraki alerts to receiving services. https://developer.cisco.com/meraki/webhooks/#!introduction/overview

I need to specify the Splunk endpoint and the shared secret in the Meraki webhook alert page as expected by Meraki. And here are the following details"

Webhook URL: Splunk Public Endpoint DNS(Backend will be heavy forwarder:8088)/services/collector/raw
Shared Secret: HEC token in that Heavy forwarder

Now when I hit the test option, the Meraki alerts are not flowing into Splunk and on detailed log Splunk analysis, we get the below error in our splunkd.log:

06-03-2020 17:12:23.556 +0200 ERROR HttpInputDataHandler - Failed processing http input, token name=n/a, channel=n/a, source_IP=****, reply=2, events_processed=0, http_input_body_size=878

I could see that Meraki is not able to send the shared secret key with Splunk token embedded and hence failing.
Any suggestion on fixing this would be of great help.

Labels (1)
0 Karma