Getting Data In

HEC Curl Command Not Working?

thomastaylor
Communicator

Hello all! I have a weird problem occurring that I would like to get some feedback on. I currently am running a Splunk Enterprise instance on my local machine. Using the curl command and sending data via the HTTP Event Collector is given me some unexpected behavior. If I'm doing something wrong, please let me know!

Command #1:

curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms'

It gives me a {"text":"Success","code":0}; however, when I search in the main index, it does not show the log.

Command #2:

curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '1, 2, 3... Hello, World!'

It gives me {"text":Success", "code":0} and displays it in the main index.

Command #3:

curl -k "https://localhost:8088/services/collector/raw?source=fakelog" -H "Authorization: Splunk fb920744-d924-413b-9c60-4593f152c3d5" -d '127.0.0.1 - admin "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms'

The difference between Command #1 and this one is the fact that I removed the timestamp. When I check Splunk, this log did come through on the main index.

Does anyone know what could be happening here?

Thanks!

1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@thomastaylor,

Just a quick check - your timestamp says 28/Sep/2016:09:05:26.875 -0700 which is around 2 years back. Have you selected your time range in search head to cover last two years ? Select All Time and check if you are able to see the event.

Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@thomastaylor,

Just a quick check - your timestamp says 28/Sep/2016:09:05:26.875 -0700 which is around 2 years back. Have you selected your time range in search head to cover last two years ? Select All Time and check if you are able to see the event.

Happy Splunking!

thomastaylor
Communicator

A bit of my pride has been taken away from me, haha. Yep, that was it. If you convert your a comment to an answer, I will certainly approve it.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@thomastaylor, glad to know it worked 🙂

Happy Splunking!
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...