Getting Data In

HTTP Event Collector Indexer Acknowledgment Returns "Invalid data format" "code":6

Loves-to-Learn

On a Linux host I am testing our HEC Indexer Acknowledgement setup on our heavy forwarder and following the documentation example but I keep running into "invalid data format" errors.

I am running  the following command to ingest data:

 

curl https://10.1.10.20:8088/services/collector  -H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77132" -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d '{ "host": "labPC", "source": "testCurl", "event": {  "message": "Did I Make It?", "severity": "INFO"} }' -k

 

 The data is getting indexed and I am receiving the following status code:

 

{"text":"Success","code":0,"ackId":1}

 


But when I run the following command to verify the indexing status:

 

curl -k https://10.1.10.20:8088/services/collector/ack?channel=FE0ECFAD-13D5-401B-847D-77833BD77132 -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d "{"acks":"0"}"

 

or any variation of "acks" "ack" "ackId" "0" "[0]" or escaping I keep getting the same result 

 

{"text":"Invalid data format","code":6}

 


Any help or guidance would be most appreciated. 

Thank you. 

Labels (1)
0 Karma