Getting Data In

HTTP Event Collector: Why am I getting error "Invalid authorization" with my WEBHOOK_URL?

lpolo
Motivator

Can someone tell me why this is failing with Invalid authorization? I think that the endpoint is as documented.

WEBHOOK_URL = 'https://localhost:8088/services/collector/event'
#headers = {'Content-Type': 'application/json'}
headers={'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F', 'Content-Type': 'application/json'}


message = { "index":"main", "sourcetype":"xqe_metric", "event":"Testing"}

print WEBHOOK_URL, headers, message

connection = httplib.HTTPSConnection('localhost:8088')
connection.request('POST', WEBHOOK_URL, json.dumps(message), headers)

response = connection.getresponse()
print response.read().decode(), '/n'

Response

    <module 'time' from '/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/time.so'>   Failed="no"
http://localhost:8088/services/collector/event {'Content-Type': 'application/json', 'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F'} {'index': 'main', 'sourcetype': 'xqe_metric', 'event': 'Testing'}
{"text":"Invalid authorization","code":3} /n

alt text

1 Solution

richgalloway
SplunkTrust
SplunkTrust

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gblock_splunk
Splunk Employee
Splunk Employee

I see you are using HTTPS. Just as a side note, as you sending to your local instance, the SSL cert is probably not valid in which case the request will be rejected unless you configure you client to ignore cert validation.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, Karma would be appreciated.

lpolo
Motivator

Thanks. I saw the problem thanks to your observation.

0 Karma

shamscw
Engager

Hi Guys,

I have a similar problem - I'm using a HTTP event collector and installed an iApp for F5 load balancers.
I can see the F5 sending keys as follows from a packet capture:

Member Key: time
Member Key: host
Member Key: source
Member Key: sourcetype
Member Key: event

I can see the Splunk Server responding like this:

Member Key: text
String Value: Invalid authorization
Key: text

Member Key: code
Number Value: 3
Key: code

Where in Splunk do I configure the above Member Key which is causing an invalid authorization?

Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is solved please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Rich is correct!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The WEBHOOK_URL variable has unbalanced quotes and parens in it. If it's a not a typo in the question then it could explain the problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lpolo
Motivator

Thanks, I updated the code and response it had a typo.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...