Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector: How to resolve a "401 Unauthorized from Splunk" error when trying to pass token in query string?

PepePelotas
New Member
‎01-28-2017 08:35 AM

I have enabled allowQueryStringAuth as mentioned in http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery and want to pass my token in the POST request like hxxp://192.168.2.1:8088/services/collector?token= however, i still get a 401 Unauthorized from Splunk.

A splunk btool check --debug gives me:

tmachielsen@TonsMacBookPro:~% /Applications/Splunk/bin/splunk btool check --debug 
Checking: /Applications/Splunk/etc/users/admin/search/local/ui-prefs.conf
Checking: /Applications/Splunk/etc/users/admin/search/local/ui-tour.conf
Checking: /Applications/Splunk/etc/users/admin/splunk_monitoring_console/local/ui-prefs.conf
Checking: /Applications/Splunk/etc/users/admin/user-prefs/local/user-prefs.conf
Checking: /Applications/Splunk/etc/apps/learned/local/props.conf
Checking: /Applications/Splunk/etc/apps/search/local/indexes.conf
Checking: /Applications/Splunk/etc/apps/search/local/inputs.conf
Checking: /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf
        Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 11: sourcetypeSelection  (value:  From List).
    Did you mean 'sourcetype'?
    Did you mean 'source'?
    Did you mean 'sourcetype'?
        Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 12: allowQueryStringAuth  (value:  true).
Checking: /Applications/Splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
Checking: /Applications/Splunk/etc/apps/user-prefs/local/user-prefs.conf
Checking: /Applications/Splunk/etc/apps/SplunkForwarder/default/app.conf

Any idea what i do wrong?

Splunk Light 6.5.2 on OSX.

0 Karma
Reply

jtacy
Builder
‎01-31-2017 09:16 AM

This appears to be a Splunk Cloud feature. It's listed on the Splunk Cloud inputs.conf docs at http://docs.splunk.com/Documentation/Splunk/6.5.1612/Admin/Inputsconf but not the Splunk Enterprise inputs.conf docs at http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf . Also see http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery which explains that this currently offered in Splunk Cloud and Splunk Light Cloud.

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...