All Apps and Add-ons

Splunk App for Infrastructure: Http Event Collector Tokens

Explorer

Hello,

I'm trying to set up some monitoring/dashboards for the infra in our team.
I've installed Splunk App & Add-on for Infrastructure and it needs me to set up a HTTP Event Collector (HEC).

However, when I go to set that up, it keeps giving me this error: "A token cannot have individual configuration for port."

I'm following the steps here: https://docs.splunk.com/Documentation/Splunk/7.1.3/Data/UsetheHTTPEventCollector

My global settings have tokens enabled, port set at 8088. (Although it says 'optional', i can't leave it blank because it keeps telling me "Parameter port: Ports must be numeric values.")

How do I deal with the HEC error message so I can continue with collection?

Builder

What this message says is that once you setup a global tcp port to enable HEC, you cannot assigned a new port to a new token, the port should be the same for every HEC, what should be individual is the token that you setup for each individual hec configuration.
Enable the global configuration first defining the HEC port. My suggestion is to delete any previous HEC configuration and re-run the configuration again.

1 - Enable the Global configuration
2 - Create a new HEC

I follow the documentation link you had provided.

I use this command from prompt command just to make sure my token configuration is correct and able to receive data.

curl -k https://:8088/services/collector/event -H "Authorization: splunk " -d '{"event":"hello world"} ' {"text":Success", "code": 0}

and it had worked, please try from your end.

0 Karma

Explorer

This did not solve the issue. Within the new token creation, there's no option to set a port anywhere, which is why it's confusing to me that it's saying there are individual ports configured for the token.

I have removed the folder /splunk/etc/apps/splunk_httpinput/local and tried it again. It created a new local folder but i was still not able to create a new token. Same error

0 Karma

Builder

The port is setup only on the global configuration. When you are creating the token, this parameter is not requested because the port that token will be used is port 8088 or any other port you had setup previously at the global configuration.
My suggestion is to follow the procedure I provided and run the test that I suggested in order to make sure the token is properly configured and receiving data.
The token configuration has to be done on a heavy forwarder to receive the data and send to indexers for indexing the data.
Other important verification is how you can setup the token internally on your application to send the log. The curl command that I provide you is only a sample you can use to validate if the configuration is setup properly.

0 Karma

Explorer

if i'm understanding this correctly, your procedure is to
- delete input.conf for HEC
- enable global config for splunk to create fresh file
- Create new token
- go through config of creating new token

If that is what you meant, i had already run through those steps again but it still gives me the same error of 'individual port'

0 Karma