Getting Data In

Debug HEC input

vadimm
New Member

How debug HEC input?
To see incoming JSON?

0 Karma

PavelP
Motivator

Hello @vadimm

what is a problem you facing with? Do you need to debug the HEC input configuration or data itself? To see incoming JSON on the wire or before, during and after splunk processing?

to see JSON transmitted on the wire use tcpdump for HTTP input, some MitM Proxy for HTTPS input. Much easier if you can access the sending client.

Describe the situation with more than two sentences.

0 Karma

vadimm
New Member

On wire - not variant.
HTTPS and computer is same. On wire nothing emitted.
I get "Unable parse JSON" at DB Connect 3.3.0.
Want debug it.

0 Karma

PavelP
Motivator

@vadimm, describe your envrionment. First you mentioned HEC input, now you mentioned DB Connect, they are not related 🙂

0 Karma

vadimm
New Member

They is completely related 🙂
Output of DB Connect is input for HEC 🙂

0 Karma

PavelP
Motivator

your are right. But if you get an error on the DB Connect input phase, why you try to debug the HEC ?

please describe your environment. You wrote: HTTPS and computer are the same - what do you mean by this? Is this pipeline correct? And it is all on one and the same system? :

SQL DB -> DB Connect input -> Splunk -> HEC (HTTP Event Collector) input -> Splunk?

0 Karma

vadimm
New Member

Guess where DB connect use JSON format 😉
I`m wrote "Output of DB Connect is input for HEC".
Debug HEC input is logical, not?

HEC data input and add-on DB Connect installed on one computer. DB Connect use HTTPS and HEC, not pipeline :^-)

At last chain, "Splunk" is excessive. And not "DB Connect INPUT" 🙂
SQL DB - DB Connect - HEC

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...