Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: CloudWatch to splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CloudWatch to splunk
Hi
Can you please help me , i got this message :
I have configured :
SPLUNK_HEC_URL = https://verifone.splunkcloud.com:8089/services/collector/
SPLUNK_HEC_TOKEN = FF8E4A4E-D81D-4034-A7C0-0C436F9A7415
This is the wrong message:
{
"errorMessage": "error: statusCode=401\n\n\n\n \n call not properly authenticated\n \n\n",
"errorType": "Error",
"stackTrace": [
"",
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
"
"
"
"
"
"",
"IncomingMessage.res.on (/var/task/lib/mysplunklogger.js:77:25)",
"emitOne (events.js:96:13)",
"IncomingMessage.emit (events.js:188:7)",
"readableAddChunk (_stream_readable.js:176:18)",
"IncomingMessage.Readable.push (_stream_readable.js:134:10)",
"HTTPParser.parserOnBody (_http_common.js:123:22)",
"TLSSocket.socketOnData (_http_client.js:362:20)",
"emitOne (events.js:96:13)",
"TLSSocket.emit (events.js:188:7)",
"readableAddChunk (_stream_readable.js:176:18)"
]
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two issues here:
1. Your HEC URL is wrong. For splunk cloud managed instance iy should look like this: https://http-inputs-verifone.splunkcloud.com/services/collector/
2. I tried sending a test event (since you were kind enough to share your token) but I get an error:
curl -k https://http-inputs-verifone.splunkcloud.com/services/collector -H "Authorization: Splunk FF8E4A4E-D81D-4034-A7C0-0C436F9A7415" -d '{"event": "Test"}'
{"text":"Data channel is missing","code":10}
This error message is telling me you have enabled indexer acknowledgment on the token. This will not work.
So you need to create a new token without indexer acknowledgment and then test the curl command again with the correct url.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have created a new HEC token : B9C3AD8B-CC0C-4931-86CE-BB39D698F397
and i tried the following command:
curl -k https://verifone.splunkcloud.com:8089/en-US/services/collector/ -H "Authorization: Splunk B9C3AD8B-CC0C-4931-86CE-BB39D698F397" -d '{"event": "hello world"}'
and i got the next error :
Method Not Allowed
Specified method is not allowed on this resource.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your URL is wrong again. You need to insert http-inputs- before verifone.splunkcloud.com and remove the port completely.
This works for me:
curl -k https://http-inputs-verifone.splunkcloud.com/services/collector -H "Authorization: Splunk B9C3AD8B-CC0C-4931-86CE-BB39D698F397" -d '{"event": "Test"}'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are great , you are right it's working
You helped me a lot
Many thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
curl -k https://http-inputs-verifone.splunkcloud.com/un-US/services/collector/ -H "Authorization: Splunk B9C3AD8B-CC0C-4931-86CE-BB39D698F397" -d '{"event": "hello world"}'
i got this :
{"text":"The requested URL was not found on this server.","code":404}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are great , you are right it's working
You helped me a lot
Many thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
curl -k https://verifone.splunkcloud.com:8089/services/collector/ -H "Authorization: Splunk B9C3AD8B-CC0C-4931-86CE-BB39D698F397" -d '{"event": "hello world"}'
This is too brings me
<msg type="WARN">call not properly authenticated</msg>
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
