Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector Indexer Acknowledgment Returns "Invalid data format" "code":6

qf
Engager
‎11-30-2020 10:06 AM

On a Linux host I am testing our HEC Indexer Acknowledgement setup on our heavy forwarder and following the documentation example but I keep running into "invalid data format" errors.

I am running  the following command to ingest data:

 

curl https://10.1.10.20:8088/services/collector  -H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77132" -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d '{ "host": "labPC", "source": "testCurl", "event": {  "message": "Did I Make It?", "severity": "INFO"} }' -k

 

 The data is getting indexed and I am receiving the following status code:

 

{"text":"Success","code":0,"ackId":1}

 


But when I run the following command to verify the indexing status:

 

curl -k https://10.1.10.20:8088/services/collector/ack?channel=FE0ECFAD-13D5-401B-847D-77833BD77132 -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d "{"acks":"0"}"

 

or any variation of "acks" "ack" "ackId" "0" "[0]" or escaping I keep getting the same result 

 

{"text":"Invalid data format","code":6}

 


Any help or guidance would be most appreciated. 

Thank you. 

Labels (1)
Labels
Reply

ro_mc
Path Finder
‎11-11-2021 11:20 PM

 

You are using the following command

curl -k https://10.1.10.20:8088/services/collector/ack?channel=FE0ECFAD-13D5-401B-847D-77833BD77132 -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d "{"acks":"0"}"

The format you should be using per https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/AboutHECIDXAck is as follows:

curl https://mysplunk.com/services/collector?channel=FE0ECFAD-13D5-401B-847D-77833BD77131 
-H "Authorization: Splunk BD274822-96AA-4DA6-90EC-18940FB2414C" -d '<data>' -v

 You are referencing collector/ack?channel, but should be referencing collector?channel.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...