Getting Data In

Debug HEC input

vadimm
New Member

How debug HEC input?
To see incoming JSON?

0 Karma

PavelP
Motivator

Hello @vadimm

what is a problem you facing with? Do you need to debug the HEC input configuration or data itself? To see incoming JSON on the wire or before, during and after splunk processing?

to see JSON transmitted on the wire use tcpdump for HTTP input, some MitM Proxy for HTTPS input. Much easier if you can access the sending client.

Describe the situation with more than two sentences.

0 Karma

vadimm
New Member

On wire - not variant.
HTTPS and computer is same. On wire nothing emitted.
I get "Unable parse JSON" at DB Connect 3.3.0.
Want debug it.

0 Karma

PavelP
Motivator

@vadimm, describe your envrionment. First you mentioned HEC input, now you mentioned DB Connect, they are not related 🙂

0 Karma

vadimm
New Member

They is completely related 🙂
Output of DB Connect is input for HEC 🙂

0 Karma

PavelP
Motivator

your are right. But if you get an error on the DB Connect input phase, why you try to debug the HEC ?

please describe your environment. You wrote: HTTPS and computer are the same - what do you mean by this? Is this pipeline correct? And it is all on one and the same system? :

SQL DB -> DB Connect input -> Splunk -> HEC (HTTP Event Collector) input -> Splunk?

0 Karma

vadimm
New Member

Guess where DB connect use JSON format 😉
I`m wrote "Output of DB Connect is input for HEC".
Debug HEC input is logical, not?

HEC data input and add-on DB Connect installed on one computer. DB Connect use HTTPS and HEC, not pipeline :^-)

At last chain, "Splunk" is excessive. And not "DB Connect INPUT" 🙂
SQL DB - DB Connect - HEC

0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...