Hi,
with the new Splunk DB Connect 3, we use the Splunk HTTP Event Collector (HEC) to get the data.
If there is no data ingested, how to find out if the HTTP Event Collector tries to use a port (8088 by default) which is already in use?
I can't see any message in _internal to find out that HEC is running or tries to bind to a specific port.
How to troubleshoot?
Thanks,
Holger
Hi,
with DBX 3 we now use a local HEC as mentioned by @jcoates.
If you have trouble receiving data from DBX3, search the internal index for
03-08-2017 14:30:57.167 +0000 FATAL HTTPServer - Could not bind to port 8088
Netstat et al are good ideas, too.
HTH,
Holger
Hi,
with DBX 3 we now use a local HEC as mentioned by @jcoates.
If you have trouble receiving data from DBX3, search the internal index for
03-08-2017 14:30:57.167 +0000 FATAL HTTPServer - Could not bind to port 8088
Netstat et al are good ideas, too.
HTH,
Holger
Your question refers to an unrelated technology (DBConnect) for the HTTP event collector, assuming your on Linux and you are either root or the user running Splunk, you could do:
netstat -anp | grep 8088
And ensure that you see the Splunk process using the port number.
You might also see the port 8088 in your metrics.log file of your Splunk server receiving the traffic if there is data coming through...
DB Connect v3 uses a local HEC to push data into Splunk. Otherwise, this is correct advice. I also suggest the index=_internal logs, perhaps a search for error and port would be helpful.
Interesting, it would be great if the documentation mentions this, I'm not sure if I missed a mention of this in the newer DB connect v3 documentation...
Splunk DB Connect is an app to configure inputs for getting data from a database. How is that related to HEC?
HEC is a convenient REST end-point to post data into Splunk.
DB Connect v3 uses a local HEC to push data into Splunk