Dashboards & Visualizations

HTTP Event Collector: How to resolve a "401 Unauthorized from Splunk" error when trying to pass token in query string?

PepePelotas
New Member

I have enabled allowQueryStringAuth as mentioned in http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery and want to pass my token in the POST request like hxxp://192.168.2.1:8088/services/collector?token= however, i still get a 401 Unauthorized from Splunk.

A splunk btool check --debug gives me:

tmachielsen@TonsMacBookPro:~% /Applications/Splunk/bin/splunk btool check --debug 
Checking: /Applications/Splunk/etc/users/admin/search/local/ui-prefs.conf
Checking: /Applications/Splunk/etc/users/admin/search/local/ui-tour.conf
Checking: /Applications/Splunk/etc/users/admin/splunk_monitoring_console/local/ui-prefs.conf
Checking: /Applications/Splunk/etc/users/admin/user-prefs/local/user-prefs.conf
Checking: /Applications/Splunk/etc/apps/learned/local/props.conf
Checking: /Applications/Splunk/etc/apps/search/local/indexes.conf
Checking: /Applications/Splunk/etc/apps/search/local/inputs.conf
Checking: /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf
        Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 11: sourcetypeSelection  (value:  From List).
    Did you mean 'sourcetype'?
    Did you mean 'source'?
    Did you mean 'sourcetype'?
        Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 12: allowQueryStringAuth  (value:  true).
Checking: /Applications/Splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
Checking: /Applications/Splunk/etc/apps/user-prefs/local/user-prefs.conf
Checking: /Applications/Splunk/etc/apps/SplunkForwarder/default/app.conf

Any idea what i do wrong?

Splunk Light 6.5.2 on OSX.

0 Karma

jtacy
Builder

This appears to be a Splunk Cloud feature. It's listed on the Splunk Cloud inputs.conf docs at http://docs.splunk.com/Documentation/Splunk/6.5.1612/Admin/Inputsconf but not the Splunk Enterprise inputs.conf docs at http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf . Also see http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery which explains that this currently offered in Splunk Cloud and Splunk Light Cloud.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...