Getting Data In

HEC Curl Command Not Working?

Communicator

Hello all! I have a weird problem occurring that I would like to get some feedback on. I currently am running a Splunk Enterprise instance on my local machine. Using the curl command and sending data via the HTTP Event Collector is given me some unexpected behavior. If I'm doing something wrong, please let me know!

Command #1:

curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms'

It gives me a {"text":"Success","code":0}; however, when I search in the main index, it does not show the log.

Command #2:

curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '1, 2, 3... Hello, World!'

It gives me {"text":Success", "code":0} and displays it in the main index.

Command #3:

curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '127.0.0.1 - admin "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms'

The difference between Command #1 and this one is the fact that I removed the timestamp. When I check Splunk, this log did come through on the main index.

Does anyone know what could be happening here?

Thanks!

1 Solution

SplunkTrust
SplunkTrust

@thomastaylor,

Just a quick check - your timestamp says 28/Sep/2016:09:05:26.875 -0700 which is around 2 years back. Have you selected your time range in search head to cover last two years ? Select All Time and check if you are able to see the event.

View solution in original post

SplunkTrust
SplunkTrust

@thomastaylor,

Just a quick check - your timestamp says 28/Sep/2016:09:05:26.875 -0700 which is around 2 years back. Have you selected your time range in search head to cover last two years ? Select All Time and check if you are able to see the event.

View solution in original post

Communicator

A bit of my pride has been taken away from me, haha. Yep, that was it. If you convert your a comment to an answer, I will certainly approve it.

0 Karma

SplunkTrust
SplunkTrust

@thomastaylor, glad to know it worked 🙂