- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can someone help us with our HTTP event collector ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can someone help us with our HTTP event collector 400 error?
Hi all,
Does anybody know which is the file logs where we could check if the syntax of a HTTP post request is correct?
Our issue is that our system sent an HTTP POST to Splunk and it received a 400 error.
We see that this message could be: 1
5 400 Bad Request No data
6 400 Bad Request Invalid data format
7 400 Bad Request Incorrect index
...
0 400 Bad Request Data channel is missing
11 400 Bad Request Invalid data channel
12 400 Bad Request Event field is required
13 400 Bad Request Event field cannot be blank
14 400 Bad Request ACK is disabled
15 400 Bad Request Error in handling indexed fields
16 400 Bad Request Query string authorization is not enabled
Anybody know how we could check the status code of the bad requests?
Thank you,
Best Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anybody know how we could check the status code of the bad requests?
This is in the response body or content of the request. It will include the code and text description. Below is an example of the incorrect index response:
{"text":"Incorrect index","code":7,"invalid-event-number":1}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the splunk issue in 7.2 it seems , we have had the same issue where we are seeing tons of log saying ERROR HttpInputDataHandler - Parsing error : Error in handling indexed fields , we are using the same token across our nodes and splunk 6.6 version works fine with the same set of jsons we are sending but the once we tried the same requests using HEC in splunk 7.2 , we have started to see these issues.
Can somebody please let us know if they had seen any changes from 6.6 to 7.2 for Http event collector feeding data differently now.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Is the index name is configured correctly while token was created ?
Is correct token has been used for sending the data ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @iamarkprabha, as index name and token haven't been modified so we can discard these reason. The main problem is that we aren't able to check how it is the syntax of the http request that the system sends, so we thought that the best solution should be to check on the Splunk server side. Do you know if splunk has a log file where we could check the syntax of the malformed http request?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@iamarkaprabha converted answer to comment, since you have asked for further details. This will keep the question as unanswered for others to assist.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Niket
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts
Video | Tom’s Smartness Journey Continues
