Getting Data In

HEC with Splunk Cloud trial- Domain does not exist?

philwild
Explorer

I am trying to send data to a Splunk Cloud free trial account.

Following the documentation here: https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/UsetheHTTPEventCollector

This is what I should use

You must send data using a specific URI for HEC.

The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:

<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>

But the domain name does not exist (the subdomain with http-inputs. part)

Is the documentation wrong? How do I get this working?

 

Labels (1)
0 Karma
1 Solution

philwild
Explorer

That kind of goes against the documentation then. 

I've done some investigating...

Looking at outputs.conf of the bundled forwarder app, there is a single host associated with the trial instance. I'm now assuming this "free-trial" service is just a cloud provisioned "pseudo" "Splunk Enterprise" instance.

I've also just confirmed that port 8088 is open on the stack address.

Based on that, I've just tested following the instructions for basic Splunk Enterprise and it works...

So the answer is... For Splunk Cloud trials as of 06 May 2022, use the Splunk Enterprise config, being

https://<stack>.splunkcloud.com:8088/services/collector/event

FYI: @jmeager_splunk 

View solution in original post

Tags (1)

isoutamo
SplunkTrust
SplunkTrust
0 Karma

philwild
Explorer

That kind of goes against the documentation then. 

I've done some investigating...

Looking at outputs.conf of the bundled forwarder app, there is a single host associated with the trial instance. I'm now assuming this "free-trial" service is just a cloud provisioned "pseudo" "Splunk Enterprise" instance.

I've also just confirmed that port 8088 is open on the stack address.

Based on that, I've just tested following the instructions for basic Splunk Enterprise and it works...

So the answer is... For Splunk Cloud trials as of 06 May 2022, use the Splunk Enterprise config, being

https://<stack>.splunkcloud.com:8088/services/collector/event

FYI: @jmeager_splunk 

Tags (1)

cgreengr
Observer

Hi @Phil, I came across your post because I was trying to solve an issue I was getting. I set up a free splunk cloud trial account and am using the url to send data through the Event Collector and am still receiving this error: 

 "last_error": "Post \"https://prd-p-9vxw3.splunkcloud.com:8088/services/collector/event\": dial tcp: lookup prd-p-9vxw3.splunkcloud.com on 10.4.0.10:53: no such host",
  "last_message": "Incorrect Splunk HEC URL",

Even after disabling TLS as well for the Splunk Cloud Free Trial account. Do you have any idea why my URL is "incorrect"? 


Thanks! 

Tags (1)
0 Karma

sourcerersplunk
New Member

Good morning

I have the same problem, but I'm checking the answers, and I'm missing some (maybe obvious) concept

Which is <stack> in this scenario?

I have just created the trial account, and I access to console in

https://prd-p-xxxxx.splunkcloud.com/

(xxxxx for redacting the code - I imagine is important)

Which is the stack in this case? And the HEC endpoint?

0 Karma

philwild
Explorer

Just make it match your cloud stack URL...

 

In your case just like the below but make replacing your masking x's with what is in your stack's URL

https://prd-p-xxxxx.splunkcloud.com:8088/services/collector/event

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Thanx, it's good to know that this is currently possible if needed.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...