All Apps and Add-ons

CloudWatch to splunk

ShayR3
New Member

Hi
Can you please help me , i got this message :
I have configured :
SPLUNK_HEC_URL = https://verifone.splunkcloud.com:8089/services/collector/
SPLUNK_HEC_TOKEN = FF8E4A4E-D81D-4034-A7C0-0C436F9A7415
This is the wrong message:
{
"errorMessage": "error: statusCode=401\n\n\n\n \n call not properly authenticated\n \n\n",
"errorType": "Error",
"stackTrace": [
"",
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
"",
" ",
" call not properly authenticated",
"
",
"
",
"",
"IncomingMessage.res.on (/var/task/lib/mysplunklogger.js:77:25)",
"emitOne (events.js:96:13)",
"IncomingMessage.emit (events.js:188:7)",
"readableAddChunk (_stream_readable.js:176:18)",
"IncomingMessage.Readable.push (_stream_readable.js:134:10)",
"HTTPParser.parserOnBody (_http_common.js:123:22)",
"TLSSocket.socketOnData (_http_client.js:362:20)",
"emitOne (events.js:96:13)",
"TLSSocket.emit (events.js:188:7)",
"readableAddChunk (_stream_readable.js:176:18)"
]
}

Tags (1)
0 Karma

ytenenbaum_splu
Splunk Employee
Splunk Employee

There are two issues here:
1. Your HEC URL is wrong. For splunk cloud managed instance iy should look like this: https://http-inputs-verifone.splunkcloud.com/services/collector/
2. I tried sending a test event (since you were kind enough to share your token) but I get an error:
curl -k https://http-inputs-verifone.splunkcloud.com/services/collector -H "Authorization: Splunk FF8E4A4E-D81D-4034-A7C0-0C436F9A7415" -d '{"event": "Test"}'
{"text":"Data channel is missing","code":10}
This error message is telling me you have enabled indexer acknowledgment on the token. This will not work.
So you need to create a new token without indexer acknowledgment and then test the curl command again with the correct url.

0 Karma

ShayR3
New Member

I have created a new HEC token : B9C3AD8B-CC0C-4931-86CE-BB39D698F397
and i tried the following command:
curl -k https://verifone.splunkcloud.com:8089/en-US/services/collector/ -H "Authorization: Splunk B9C3AD8B-CC0C-4931-86CE-BB39D698F397" -d '{"event": "hello world"}'

and i got the next error :

Method Not Allowed

Specified method is not allowed on this resource.

0 Karma

ytenenbaum_splu
Splunk Employee
Splunk Employee

Your URL is wrong again. You need to insert http-inputs- before verifone.splunkcloud.com and remove the port completely.

This works for me:

curl -k https://http-inputs-verifone.splunkcloud.com/services/collector -H "Authorization: Splunk B9C3AD8B-CC0C-4931-86CE-BB39D698F397" -d '{"event": "Test"}'

0 Karma

ShayR3
New Member

You are great , you are right it's working
You helped me a lot
Many thanks 🙂

0 Karma

ShayR3
New Member

curl -k https://http-inputs-verifone.splunkcloud.com/un-US/services/collector/ -H "Authorization: Splunk B9C3AD8B-CC0C-4931-86CE-BB39D698F397" -d '{"event": "hello world"}'

i got this :

{"text":"The requested URL was not found on this server.","code":404}

0 Karma

ShayR3
New Member

You are great , you are right it's working
You helped me a lot
Many thanks 🙂

0 Karma

ShayR3
New Member

curl -k https://verifone.splunkcloud.com:8089/services/collector/ -H "Authorization: Splunk B9C3AD8B-CC0C-4931-86CE-BB39D698F397" -d '{"event": "hello world"}'

This is too brings me

<msg type="WARN">call not properly authenticated</msg>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...