On a Linux host I am testing our HEC Indexer Acknowledgement setup on our heavy forwarder and following the documentation example but I keep running into "invalid data format" errors.
I am running the following command to ingest data:
curl https://10.1.10.20:8088/services/collector -H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77132" -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d '{ "host": "labPC", "source": "testCurl", "event": { "message": "Did I Make It?", "severity": "INFO"} }' -k
The data is getting indexed and I am receiving the following status code:
{"text":"Success","code":0,"ackId":1}
But when I run the following command to verify the indexing status:
curl -k https://10.1.10.20:8088/services/collector/ack?channel=FE0ECFAD-13D5-401B-847D-77833BD77132 -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d "{"acks":"0"}"
or any variation of "acks" "ack" "ackId" "0" "[0]" or escaping I keep getting the same result
{"text":"Invalid data format","code":6}
Any help or guidance would be most appreciated.
Thank you.
You are using the following command
curl -k https://10.1.10.20:8088/services/collector/ack?channel=FE0ECFAD-13D5-401B-847D-77833BD77132 -H "Authorization: Splunk 9cedcd53-b32d-43ba-9cb6-25a211c720bc" -d "{"acks":"0"}"
The format you should be using per https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/AboutHECIDXAck is as follows:
curl https://mysplunk.com/services/collector?channel=FE0ECFAD-13D5-401B-847D-77833BD77131
-H "Authorization: Splunk BD274822-96AA-4DA6-90EC-18940FB2414C" -d '<data>' -v
You are referencing collector/ack?channel, but should be referencing collector?channel.