Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector: How to resolve a "401 Unauthorized from Splunk" error when trying to pass token in query string?

PepePelotas
New Member
‎01-28-2017 08:35 AM

I have enabled allowQueryStringAuth as mentioned in http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery and want to pass my token in the POST request like hxxp://192.168.2.1:8088/services/collector?token= however, i still get a 401 Unauthorized from Splunk.

A splunk btool check --debug gives me:

tmachielsen@TonsMacBookPro:~% /Applications/Splunk/bin/splunk btool check --debug 
Checking: /Applications/Splunk/etc/users/admin/search/local/ui-prefs.conf
Checking: /Applications/Splunk/etc/users/admin/search/local/ui-tour.conf
Checking: /Applications/Splunk/etc/users/admin/splunk_monitoring_console/local/ui-prefs.conf
Checking: /Applications/Splunk/etc/users/admin/user-prefs/local/user-prefs.conf
Checking: /Applications/Splunk/etc/apps/learned/local/props.conf
Checking: /Applications/Splunk/etc/apps/search/local/indexes.conf
Checking: /Applications/Splunk/etc/apps/search/local/inputs.conf
Checking: /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf
        Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 11: sourcetypeSelection  (value:  From List).
    Did you mean 'sourcetype'?
    Did you mean 'source'?
    Did you mean 'sourcetype'?
        Invalid key in stanza [http://Speedway Connect] in /Applications/Splunk/etc/apps/splunk_httpinput/local/inputs.conf, line 12: allowQueryStringAuth  (value:  true).
Checking: /Applications/Splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
Checking: /Applications/Splunk/etc/apps/user-prefs/local/user-prefs.conf
Checking: /Applications/Splunk/etc/apps/SplunkForwarder/default/app.conf

Any idea what i do wrong?

Splunk Light 6.5.2 on OSX.

0 Karma
Reply

jtacy
Builder
‎01-31-2017 09:16 AM

This appears to be a Splunk Cloud feature. It's listed on the Splunk Cloud inputs.conf docs at http://docs.splunk.com/Documentation/Splunk/6.5.1612/Admin/Inputsconf but not the Splunk Enterprise inputs.conf docs at http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf . Also see http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#tokenasquery which explains that this currently offered in Splunk Cloud and Splunk Light Cloud.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...