All Apps and Add-ons

App shows 200, but no data

Splunk Employee
Splunk Employee

G'day!

My Health Post app on my phone shows data upload succeeded and the logs show that it's getting 200's in response...but no data shows in my configured index per the HEC token (and the video).

I've checked my token from outside (so no firewall issue). I turned off https because I'm not currently serving a cert on my HEC port, and I use a reverse proxy to get to the front-end UI.

I'm open to suggestions, but I think at this point it may be how the iOS app translates my Splunk URL into a HEC endpoint...

0 Karma

Esteemed Legend

If you are sure that your data is coming into the Indexers, check the following (each of this will create a log in index=_*😞

1: If you are using an `index` value that is not defined:
1a: If you have `lastChanceIndex` defined, it will be there.
1b: If not, it will be dropped.
2: If your data is `malformed` then:
2a: If you have `malformedEventIndex` defined, it will be there.
2b: If not, it will be dropped.
3: If the date is too old, it will be dropped (see `MAX_DAYS_AGO`).
4: If the date is too far in the future, it will be dropped (see `MAX_DAYS_HENCE`).
5: If the date is interpreted incorrectly, you may be looking for it in the wrong place; it use to be that `All time` used `+Infinity` but in some versions of Splunk, splunk changed it to `now` but in the very latest 8.0.2 it is back to `+Infinity`".  In any case use the `Advanced` section of the `Timepicker` and use `0` for `Earliest` and `@d+20d` for `Latest`.
0 Karma

Splunk Employee
Splunk Employee

Even before any of this ^ wouldn't it show in the HEC Metrics that something is actually hitting?

0 Karma

Splunk Employee
Splunk Employee

Also I did an Real Time 1min window and sent backfill data. Nothing showed.

0 Karma

Splunk Employee
Splunk Employee

I tested this with my reverse proxy config removed, local IPs, on the same local network as the instance last night, with the same result 😞

0 Karma

Ultra Champion

What URL do you have configured on your handset app?

0 Karma

Splunk Employee
Splunk Employee

any more thoughts @nickhillscpl ?

0 Karma

Splunk Employee
Splunk Employee

I've tried the following (both http and https, with enabling and disabling SSL respectively in the HEC config):

  • internal IP while on the same wifi network with reverse proxy configuration removed.
  • external url which goes through nginx reverse proxy with both 8088 and 443 as ports

The one thing I haven't done is reconfigure my port forwarding and reverse proxy config so that my external URL points directly at my Splunk instance.

0 Karma

Ultra Champion

What actual Address are you using for the endpoint?
It should be yourhost:8088/services/collector/event

0 Karma

Splunk Employee
Splunk Employee

So the field in the app asks for the Splunk URL. Not the HEC endpoint. Since I use reverse proxy for the UI, I tried that. But I've also tried just putting the beginning bit of the HEC endpoint, assuming that it would add the /services/collector/event bit.
When I put in the base URL (without the reverse proxy stuff) it says successful, but my DMC shows nothing, and there's no data 😞

0 Karma