Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- HEC Curl Command Not Working?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all! I have a weird problem occurring that I would like to get some feedback on. I currently am running a Splunk Enterprise instance on my local machine. Using the curl command and sending data via the HTTP Event Collector is given me some unexpected behavior. If I'm doing something wrong, please let me know!
Command #1:
curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms'
It gives me a {"text":"Success","code":0}; however, when I search in the main index, it does not show the log.
Command #2:
curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '1, 2, 3... Hello, World!'
It gives me {"text":Success", "code":0} and displays it in the main index.
Command #3:
curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '127.0.0.1 - admin "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms'
The difference between Command #1 and this one is the fact that I removed the timestamp. When I check Splunk, this log did come through on the main index.
Does anyone know what could be happening here?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@thomastaylor,
Just a quick check - your timestamp says 28/Sep/2016:09:05:26.875 -0700 which is around 2 years back. Have you selected your time range in search head to cover last two years ? Select All Time and check if you are able to see the event.
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@thomastaylor,
Just a quick check - your timestamp says 28/Sep/2016:09:05:26.875 -0700 which is around 2 years back. Have you selected your time range in search head to cover last two years ? Select All Time and check if you are able to see the event.
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A bit of my pride has been taken away from me, haha. Yep, that was it. If you convert your a comment to an answer, I will certainly approve it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@thomastaylor, glad to know it worked 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
