Getting Data In

HTTP Event Collector: Why am I getting error "Invalid authorization" with my WEBHOOK_URL?

lpolo
Motivator

Can someone tell me why this is failing with Invalid authorization? I think that the endpoint is as documented.

WEBHOOK_URL = 'https://localhost:8088/services/collector/event'
#headers = {'Content-Type': 'application/json'}
headers={'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F', 'Content-Type': 'application/json'}


message = { "index":"main", "sourcetype":"xqe_metric", "event":"Testing"}

print WEBHOOK_URL, headers, message

connection = httplib.HTTPSConnection('localhost:8088')
connection.request('POST', WEBHOOK_URL, json.dumps(message), headers)

response = connection.getresponse()
print response.read().decode(), '/n'

Response

    <module 'time' from '/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/time.so'>   Failed="no"
http://localhost:8088/services/collector/event {'Content-Type': 'application/json', 'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F'} {'index': 'main', 'sourcetype': 'xqe_metric', 'event': 'Testing'}
{"text":"Invalid authorization","code":3} /n

alt text

1 Solution

richgalloway
SplunkTrust
SplunkTrust

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

gblock_splunk
Splunk Employee
Splunk Employee

I see you are using HTTPS. Just as a side note, as you sending to your local instance, the SSL cert is probably not valid in which case the request will be rejected unless you configure you client to ignore cert validation.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, an upvote would be appreciated.

lpolo
Motivator

Thanks. I saw the problem thanks to your observation.

0 Karma

shamscw
Engager

Hi Guys,

I have a similar problem - I'm using a HTTP event collector and installed an iApp for F5 load balancers.
I can see the F5 sending keys as follows from a packet capture:

Member Key: time
Member Key: host
Member Key: source
Member Key: sourcetype
Member Key: event

I can see the Splunk Server responding like this:

Member Key: text
String Value: Invalid authorization
Key: text

Member Key: code
Number Value: 3
Key: code

Where in Splunk do I configure the above Member Key which is causing an invalid authorization?

Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is solved please accept the answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Rich is correct!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The WEBHOOK_URL variable has unbalanced quotes and parens in it. If it's a not a typo in the question then it could explain the problem.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lpolo
Motivator

Thanks, I updated the code and response it had a typo.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...