Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector not working after update

bshega
Explorer
‎10-18-2016 05:55 AM

Hello,

We have recently set up a Splunk instance and I configured an HTTP Event Collector and everything was working great. Well I think our IT department decided to update our Splunk to the latest version and now the Event Collector isn't working anymore. I'm getting a success response back after a curl or our API but none of the data is being found in search, the old sources I had set up prior to the update are now missing. I tried removing the existing tokens to make new ones but that isn't working either.

Any ideas on what could be the cause of this?

Thanks,
Brandon

0 Karma
Reply

starcher
Influencer
‎02-09-2017 06:24 PM

Check that you do not have useDeploymentServer = 1 sent in the HEC config to the HF. That should only be active on your deployment server. Not sent the heavy forwarders acting as HEC inputs.

0 Karma
Reply

bpitts2
Path Finder
‎10-18-2016 06:08 AM

Review the splunkd logs from the forwarder hosting the event collector. I found issues with JSON line breaking that was preventing mine from working correctly.

0 Karma
Reply

bshega
Explorer
‎10-18-2016 06:21 AM

Ok I'm not really sure where that is, but I did go into settings and noticed that both Splunk Forwarder and Splunk Light Forwarder are disabled, could this be the cause?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...