Dashboards & Visualizations

How to fetch HTTP event collector's TRUNCATE value through HEC token validation?

New Member

I need to post data to HTTP event collector but the size of my Json can be greater than what event collector accepts.
I can send a truncated Json with it's allowable size but for that I need to know its allowable size beforehand through a REST API call.

The intention is to fetch the config property of Splunk which will tell us the max size of JSON which can be sent for posting events. On the basis of that I can truncate the JSON before posting the events with the JSON size limit fetched .

I did try the below exposed REST Api for fetching splunk configuration but it works with Basic authentication and not with HEC token.

/services/configs/conf-props/collectd_http
Is it possible that I can fetch the data with HEC token as well?
So basically [1] works fine but [2] does not, and I need to access it through [2] token only.

[1] curl -k -u admin:test@1234 -X GET https://ec2-34-220-0-66.us-west-2.compute.amazonaws.com:8089/services/configs/conf-props/collectd_ht...

[2] curl -k -H 'Authorization:Splunk 782c4529-c5c4-45f5-97cf-546d4d438fe7' -X GET https://ec2-34-220-0-66.us-west-2.compute.amazonaws.com:8089/services/configs/conf-props/collectd_ht...

I feel problem lies with fetching the configuration property because it might be that the configuration files are only exposed to ADMIN. Because the basic credentials passed are for ADMIN and not normal user hence it fetches the value for it but when we send the token it does not identify it as ADMIN's token hence the token authentication fails and no response is sent back.

0 Karma

New Member

@efavreau @fdarrigo
Can you guys please help me in here ?

0 Karma

Builder

@sanjarmatin Your question doesn't match the details you provided. You say fetch, but provide POST. You say the curl authenticated command works, but not the token authenticated command. The commands listed are not the same commands. Please edit your question and provide more details to say what the goal is, what was tried, and where you think the problem is. Also, what version of Splunk are you on? Is this on-premise or cloud?

Things to look for:
- Make sure you are comparing the exact same endpoints (note: your two commands are not the same endpoint)
- To the best of my knowledge, the authentication to the endpoints shouldn't matter - unless your token is valid and not expired. Check for that.
- check your commands for -X GET and -X POST and other flags where appropriate.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

@efavreau
-Updated the question with correct endpoints, there was a typo earlier.
-By default the CURL requests are GET, however I have updated it with GET to make it more clear.
-Splunk is on-premise.
-The intention is to fetch the config property of Splunk which will tell us the max size of JSON which can be sent for posting events. On the basis of that I can truncate the JSON before posting the events with the JSON size limit fetched .

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!