Re: HTTP Event Collector not working after update

bshega · ‎10-18-2016

Hello,

We have recently set up a Splunk instance and I configured an HTTP Event Collector and everything was working great. Well I think our IT department decided to update our Splunk to the latest version and now the Event Collector isn't working anymore. I'm getting a success response back after a curl or our API but none of the data is being found in search, the old sources I had set up prior to the update are now missing. I tried removing the existing tokens to make new ones but that isn't working either.

Any ideas on what could be the cause of this?

Thanks,
Brandon

starcher · ‎02-09-2017

Check that you do not have useDeploymentServer = 1 sent in the HEC config to the HF. That should only be active on your deployment server. Not sent the heavy forwarders acting as HEC inputs.

bpitts2 · ‎10-18-2016

Review the splunkd logs from the forwarder hosting the event collector. I found issues with JSON line breaking that was preventing mine from working correctly.

bshega · ‎10-18-2016

Ok I'm not really sure where that is, but I did go into settings and noticed that both Splunk Forwarder and Splunk Light Forwarder are disabled, could this be the cause?

HTTP Event Collector not working after update

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation