Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector: How to resolve a "401 Unauthorized from Splunk" error when trying to pass token in query string?

PepePelotas
New Member
‎01-28-2017 08:35 AM

I have enabled allowQueryStringAuth as mentioned in http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery and want to pass my token in the POST request like hxxp://192.168.2.1:8088/services/collector?token= however, i still get a 401 Unauthorized from Splunk.

A splunk btool check --debug gives me:

tmachielsen@TonsMacBookPro:~% /Applications/Splunk/bin/splunk btool check --debug 
Checking: /Applications/Splunk/etc/users/admin/search/local/ui-prefs.conf
Checking: /Applications/Splunk/etc/users/admin/search/local/ui-tour.conf
Checking: /Applications/Splunk/etc/users/admin/splunk_monitoring_console/local/ui-prefs.conf
Checking: /Applications/Splunk/etc/users/admin/user-prefs/local/user-prefs.conf
Checking: /Applications/Splunk/etc/apps/learned/local/props.conf
Checking: /Applications/Splunk/etc/apps/search/local/indexes.conf
Checking: /Applications/Splunk/etc/apps/search/local/inputs.conf
Checking: /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf
        Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 11: sourcetypeSelection  (value:  From List).
    Did you mean 'sourcetype'?
    Did you mean 'source'?
    Did you mean 'sourcetype'?
        Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 12: allowQueryStringAuth  (value:  true).
Checking: /Applications/Splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
Checking: /Applications/Splunk/etc/apps/user-prefs/local/user-prefs.conf
Checking: /Applications/Splunk/etc/apps/SplunkForwarder/default/app.conf

Any idea what i do wrong?

Splunk Light 6.5.2 on OSX.

0 Karma
Reply

jtacy
Builder
‎01-31-2017 09:16 AM

This appears to be a Splunk Cloud feature. It's listed on the Splunk Cloud inputs.conf docs at http://docs.splunk.com/Documentation/Splunk/6.5.1612/Admin/Inputsconf but not the Splunk Enterprise inputs.conf docs at http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf . Also see http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery which explains that this currently offered in Splunk Cloud and Splunk Light Cloud.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...