Solved: Re: HTTP Event Collector: Why am I getting error "...

lpolo · ‎03-03-2016

Can someone tell me why this is failing with Invalid authorization? I think that the endpoint is as documented.

WEBHOOK_URL = 'https://localhost:8088/services/collector/event'
#headers = {'Content-Type': 'application/json'}
headers={'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F', 'Content-Type': 'application/json'}


message = { "index":"main", "sourcetype":"xqe_metric", "event":"Testing"}

print WEBHOOK_URL, headers, message

connection = httplib.HTTPSConnection('localhost:8088')
connection.request('POST', WEBHOOK_URL, json.dumps(message), headers)

response = connection.getresponse()
print response.read().decode(), '/n'

Response

    <module 'time' from '/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/time.so'>   Failed="no"
http://localhost:8088/services/collector/event {'Content-Type': 'application/json', 'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F'} {'index': 'main', 'sourcetype': 'xqe_metric', 'event': 'Testing'}
{"text":"Invalid authorization","code":3} /n

richgalloway · ‎03-04-2016

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gblock_splunk · ‎03-04-2016

I see you are using HTTPS. Just as a side note, as you sending to your local instance, the SSL cert is probably not valid in which case the request will be rejected unless you configure you client to ignore cert validation.

richgalloway · ‎03-04-2016

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, Karma would be appreciated.

lpolo · ‎03-07-2016

Thanks. I saw the problem thanks to your observation.

shamscw · ‎08-30-2017

Hi Guys,

I have a similar problem - I'm using a HTTP event collector and installed an iApp for F5 load balancers.
I can see the F5 sending keys as follows from a packet capture:

Member Key: time
Member Key: host
Member Key: source
Member Key: sourcetype
Member Key: event

I can see the Splunk Server responding like this:

Member Key: text
String Value: Invalid authorization
Key: text

Member Key: code
Number Value: 3
Key: code

Where in Splunk do I configure the above Member Key which is causing an invalid authorization?

Thanks!

richgalloway · ‎03-11-2016

If your problem is solved please accept the answer.

---
If this reply helps you, Karma would be appreciated.

gblock_splunk · ‎03-04-2016

Rich is correct!

richgalloway · ‎03-03-2016

The WEBHOOK_URL variable has unbalanced quotes and parens in it. If it's a not a typo in the question then it could explain the problem.

---
If this reply helps you, Karma would be appreciated.

lpolo · ‎03-03-2016

Thanks, I updated the code and response it had a typo.

HTTP Event Collector: Why am I getting error "Invalid authorization" with my WEBHOOK_URL?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk