We have recently set up a Splunk instance and I configured an HTTP Event Collector and everything was working great. Well I think our IT department decided to update our Splunk to the latest version and now the Event Collector isn't working anymore. I'm getting a success response back after a curl or our API but none of the data is being found in search, the old sources I had set up prior to the update are now missing. I tried removing the existing tokens to make new ones but that isn't working either.
Any ideas on what could be the cause of this?
Review the splunkd logs from the forwarder hosting the event collector. I found issues with JSON line breaking that was preventing mine from working correctly.
Ok I'm not really sure where that is, but I did go into settings and noticed that both Splunk Forwarder and Splunk Light Forwarder are disabled, could this be the cause?
Check that you do not have useDeploymentServer = 1 sent in the HEC config to the HF. That should only be active on your deployment server. Not sent the heavy forwarders acting as HEC inputs.