Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.
On the Splunk HF, I have configured the HEC with the following:
All Tokens: Enabled
Default Source Type: _json
Default Index: Default
Default Output Group: None
Use Deployment Server: Checked
Enable SSL: Checked
HTTP Port Number: 8088
Created a token:
Set Source Type: _json
Select Allowed Indexes: prisma
On the Prisma Cloud side (based on that link above):
When I test the connection, I get that error above.
Since we have the incoming IP addresses locked down to the Cloud Prisma server, we can't simply test. I'm going to submit a request to allow another local IP address for testing the connection. From the doc: https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/UsetheHTTPEventCollector, I have the right configuration and URL. Has anyone see this before and can point me in the right direction for troubleshooting?