Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- HTTP event collector 404 error
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTP event collector 404 error
evanwyk11
Engager
10-14-2016
04:58 AM
Good Day
I've got two issues with my HTTP event collector.
1st issue:
I created an event collector when I installed Splunk 6.3, that worked fine I since then upgraded to splunk 6.5 - I then deleted my event collector but was still able to POST to the URL
I then uninstalled splunk from my server, and installed it from scratch but still experienced the issue above, Does anyone know where I could look to see why the HEC configurations still remain
2nd Issue
Whenever I add a new HEC i get the following error
{
"text": "The requested URL was not found on this server.",
"code": 404
}
I have read all the docs and lots of blog posts, with no luck of how to resolve these issues
I am using google Postman and Curl run a post to my HEC
Thanks
Edson
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewjgriffin
Engager
06-14-2017
01:31 PM
check etc/local/inputs.conf - I've seen upgrades reset the "disabled" setting in there from 0 to 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
starcher
Influencer
10-16-2016
07:02 AM
HEC configs are in $SPLUNK_HOME/etc/apps/splunk_httpinput
Did you check that you turned HEC back on in the Global Settings button after reinstall? I believe you can create tokens and not have the option "on".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
evanwyk11
Engager
10-17-2016
05:00 AM
Hi starcher
I have checked that the HEC is turned on in the global settings, I have two tokens created. But currently only the one token works and the other token gives me a 404 error - both are configured the same.
Are there any other setting that I am missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
starcher
Influencer
10-30-2016
02:34 PM
You can try running btool and see if it lists your other token and what app it is coming from.
splunk cmd btool --debug inputs list http
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
