- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to fetch HTTP event collector's TRUNCATE v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to fetch HTTP event collector's TRUNCATE value through HEC token validation?
I need to post data to HTTP event collector but the size of my Json can be greater than what event collector accepts.
I can send a truncated Json with it's allowable size but for that I need to know its allowable size beforehand through a REST API call.
The intention is to fetch the config property of Splunk which will tell us the max size of JSON which can be sent for posting events. On the basis of that I can truncate the JSON before posting the events with the JSON size limit fetched .
I did try the below exposed REST Api for fetching splunk configuration but it works with Basic authentication and not with HEC token.
/services/configs/conf-props/collectd_http
Is it possible that I can fetch the data with HEC token as well?
So basically [1] works fine but [2] does not, and I need to access it through [2] token only.
[1] curl -k -u admin:test@1234 -X GET https://ec2-34-220-0-66.us-west-2.compute.amazonaws.com:8089/services/configs/conf-props/collectd_ht...
[2] curl -k -H 'Authorization:Splunk 782c4529-c5c4-45f5-97cf-546d4d438fe7' -X GET https://ec2-34-220-0-66.us-west-2.compute.amazonaws.com:8089/services/configs/conf-props/collectd_ht...
I feel problem lies with fetching the configuration property because it might be that the configuration files are only exposed to ADMIN. Because the basic credentials passed are for ADMIN and not normal user hence it fetches the value for it but when we send the token it does not identify it as ADMIN's token hence the token authentication fails and no response is sent back.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@efavreau @fdarrigo
Can you guys please help me in here ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sanjarmatin Your question doesn't match the details you provided. You say fetch, but provide POST. You say the curl authenticated command works, but not the token authenticated command. The commands listed are not the same commands. Please edit your question and provide more details to say what the goal is, what was tried, and where you think the problem is. Also, what version of Splunk are you on? Is this on-premise or cloud?
Things to look for:
- Make sure you are comparing the exact same endpoints (note: your two commands are not the same endpoint)
- To the best of my knowledge, the authentication to the endpoints shouldn't matter - unless your token is valid and not expired. Check for that.
- check your commands for -X GET and -X POST and other flags where appropriate.
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@efavreau
-Updated the question with correct endpoints, there was a typo earlier.
-By default the CURL requests are GET, however I have updated it with GET to make it more clear.
-Splunk is on-premise.
-The intention is to fetch the config property of Splunk which will tell us the max size of JSON which can be sent for posting events. On the basis of that I can truncate the JSON before posting the events with the JSON size limit fetched .
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
