Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Akamai data input throwing error

Karthikeya
Communicator
3 weeks ago

Hi all, I am trying to pull Akamai logs to Splunk. Hence installed this app in HF  - https://splunkbase.splunk.com/app/4310 and in data inputs given all the required fields (that provided my akamai) and when trying to save it the following error came - Encountered the following error while trying to save: HTTP 404 -- Action forbidden. What is the meaning of this error? is it issue from Akamai end or Splunk end? We have recently enabled our HF and this error is showing? Is this issue related to this error?

Please help me to get rid of this issue and the error?

Karthikeya_0-1743162043321.png

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

It'shard to say precisely since the addon is not very talkative in terms of logs but my understanding would be that Splunk is trying to validate the config - see https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsValidate to see how it works.

The 404 error comes from the addon itself. Unfortunately, it's not very descriptive. And it's confusing since 404 means that resource wasn't found. Access permissions problems should be signalled with 403.

You could try to check if the addon has some configurable logging (typically you'd look for log4j.properties file in case of java-based software).

Are you using proxy to reach the internet?

0 Karma
Reply

Karthikeya
Communicator
2 weeks ago

Yes using proxy for that in our company and whitelisted these domains as well in our AWS VPC..

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Whitelisting is one thing but I'd verify with your proxy admins that the requests are properly passed through. Just to be on the safe side.

0 Karma
Reply

Karthikeya
Communicator
2 weeks ago

I checked by going to my AWS linux instance (where our Splunk instances reside) for this particular add-on folder we have drwx------- permissions in both DS and HF. Do I need to change these permissions to configure data input in HF? or these permissions are sufficient? @PickleRick 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Since the app is being pulled from DS by the same process which will be using it (or spawning additional processes under the same user), the permissions on the HF should be good. On the DS of course the splunkd process must be able to access the whole directory to make an archive of its contents. 0700 should be ok as long as all files and directories are owned by the user the spunkd process is running as.

0 Karma
Reply

Karthikeya
Communicator
2 weeks ago

Can I try giving chmod 755 to that app? Will that work? Or can I remove the app and install it and push it again?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Won't hurt. But I would fist tried checking ownership, not permissions.

0 Karma
Reply

Karthikeya
Communicator
2 weeks ago

So how to check ownership? I have admin rights in Splunk UI and root user in AWS linux splunk instance...

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

For example with

ls -laR /opt/splunk/etc/deployment-apps/whatever_TA

 

0 Karma
Reply

Karthikeya
Communicator
2 weeks ago

drwx------- Splunk Splunk TA_Akamai_SIEM ... This is what is there for this app in DS and HF

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

The -R parameter is so that you list contents recursivly. If all directories and files are owned by Splunk:Splunk and have 700 (or 600 for files) permissions, that should be OK.

0 Karma
Reply

Karthikeya
Communicator
3 weeks ago

My splunkd.log please check

Karthikeya_0-1743175208699.png

 

0 Karma
Reply

kiran_panchavat
Influencer
3 weeks ago

@Karthikeya 

The error shows TA-Akamai_SIEM modular input is failing with HTTP 404 -- Action forbidden.
This likely means the API endpoint is incorrect or access is denied due to invalid credentials or permissions.


Check HF network access to Akamai: 

curl -i https://<akamai-api-endpoint>

Replace <akamai-api-endpoint> with the exact API URL you're using. You should NOT get a 404 or 403 if the endpoint and credentials are correct.

Contact Akamai support to confirm that:

  • Make sure all required fields (API URL, credentials, etc.) are correctly filled.

  • The API credentials (tokens) are still active and have permission to fetch SIEM logs.

  • The specific endpoint being used is correct (Akamai has multiple regions and base URLs).
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

livehybrid
Champion
3 weeks ago

Hi @Karthikeya 

Please check your splunk.log in $SPLUNK_HOME/var/log/splunk/splunkd.log for any other errors around the ModularInputs component - Do you have other errors relating to this TA-Akamai_SIEM?

Alternatively try the following search

index=_internal component=ModularInputs log_level=Error

Do you see anything like "script running failed (PID 51184 exited with code 127)" ?

Have you setup Java? This is required for the app to work, not having the correct java setup can cause the endpoint to initialise and thus you will get error messages.

For more info on installation check out https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector#install-the-splunk-connector

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

Karthikeya
Communicator
3 weeks ago

Java already installed on splunk instance.

0 Karma
Reply

Karthikeya
Communicator
3 weeks ago

Karthikeya_0-1743166716894.png

This is the splunkd file.

0 Karma
Reply

kiran_panchavat
Influencer
3 weeks ago

@Karthikeya 

HTTP 404: This status code means the requested resource (in this case, likely a Splunk REST API endpoint) could not be found. This could happen if the app is trying to interact with an endpoint that doesn’t exist or is misconfigured.
 
Action Forbidden: This implies that even if the endpoint exists, the user or process attempting the action lacks the necessary permissions to complete it, or the action itself is restricted.
 
If your API credentials (Client Token, Client Secret, Access Token, Hostname) are wrong or don't have the required permissions, it might return a 403/404 error.
 
  • Did you restart the HF after installing the add-on?
  • Check splunkd.log for any Akamai-related errors
  • Validate Akamai credentials and endpoint format
 
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

Karthikeya
Communicator
3 weeks ago

how to check splunkd errors in UI?

0 Karma
Reply

livehybrid
Champion
3 weeks ago

You could start with something like this and narrow down as required:

index=_internal host=<YourServerName> log_level=Error

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

Karthikeya
Communicator
3 weeks ago

In our environment, we have kept modular input in DS under deployment apps and pushed it to HF using serverclass. Is this the issue? Do modular inputs directly needs to be installed on HF rather than pushing from DS? 

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top