My Health Post app on my phone shows data upload succeeded and the logs show that it's getting 200's in response...but no data shows in my configured index per the HEC token (and the video).
I've checked my token from outside (so no firewall issue). I turned off https because I'm not currently serving a cert on my HEC port, and I use a reverse proxy to get to the front-end UI.
I'm open to suggestions, but I think at this point it may be how the iOS app translates my Splunk URL into a HEC endpoint...
If you are sure that your data is coming into the Indexers, check the following (each of this will create a log in
1: If you are using an `index` value that is not defined: 1a: If you have `lastChanceIndex` defined, it will be there. 1b: If not, it will be dropped. 2: If your data is `malformed` then: 2a: If you have `malformedEventIndex` defined, it will be there. 2b: If not, it will be dropped. 3: If the date is too old, it will be dropped (see `MAX_DAYS_AGO`). 4: If the date is too far in the future, it will be dropped (see `MAX_DAYS_HENCE`). 5: If the date is interpreted incorrectly, you may be looking for it in the wrong place; it use to be that `All time` used `+Infinity` but in some versions of Splunk, splunk changed it to `now` but in the very latest 8.0.2 it is back to `+Infinity`". In any case use the `Advanced` section of the `Timepicker` and use `0` for `Earliest` and `@d+20d` for `Latest`.
I've tried the following (both http and https, with enabling and disabling SSL respectively in the HEC config):
internal IPwhile on the same wifi network with reverse proxy configuration removed.
external urlwhich goes through nginx reverse proxy with both 8088 and 443 as ports
The one thing I haven't done is reconfigure my port forwarding and reverse proxy config so that my external URL points directly at my Splunk instance.
So the field in the app asks for the Splunk URL. Not the HEC endpoint. Since I use reverse proxy for the UI, I tried that. But I've also tried just putting the beginning bit of the HEC endpoint, assuming that it would add the /services/collector/event bit.
When I put in the base URL (without the reverse proxy stuff) it says successful, but my DMC shows nothing, and there's no data 😞