HTTP Event Collector Indexer Acknowledgment Return...

qf · ‎11-30-2020

On a Linux host I am testing our HEC Indexer Acknowledgement setup on our heavy forwarder and following the documentation example but I keep running into "invalid data format" errors.

I am running the following command to ingest data:

curl https://10.1.10.20:8088/services/collector  -H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77132" -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d '{ "host": "labPC", "source": "testCurl", "event": {  "message": "Did I Make It?", "severity": "INFO"} }' -k

The data is getting indexed and I am receiving the following status code:

{"text":"Success","code":0,"ackId":1}

But when I run the following command to verify the indexing status:

curl -k https://10.1.10.20:8088/services/collector/ack?channel=FE0ECFAD-13D5-401B-847D-77833BD77132 -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d "{"acks":"0"}"

or any variation of "acks" "ack" "ackId" "0" "[0]" or escaping I keep getting the same result

{"text":"Invalid data format","code":6}

Any help or guidance would be most appreciated.

Thank you.

ro_mc · ‎11-11-2021

You are using the following command

curl -k https://10.1.10.20:8088/services/collector/ack?channel=FE0ECFAD-13D5-401B-847D-77833BD77132 -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d "{"acks":"0"}"

The format you should be using per https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/AboutHECIDXAck is as follows:

curl https://mysplunk.com/services/collector?channel=FE0ECFAD-13D5-401B-847D-77833BD77131 
-H "Authorization: Splunk BD274822-96AA-4DA6-90EC-18940FB2414C" -d '<data>' -v

You are referencing collector/ack?channel, but should be referencing collector?channel.

HTTP Event Collector Indexer Acknowledgment Returns "Invalid data format" "code":6

HTTP Event Collector

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!