Good Day
I've got two issues with my HTTP event collector.
1st issue:
I created an event collector when I installed Splunk 6.3, that worked fine I since then upgraded to splunk 6.5 - I then deleted my event collector but was still able to POST to the URL
I then uninstalled splunk from my server, and installed it from scratch but still experienced the issue above, Does anyone know where I could look to see why the HEC configurations still remain
2nd Issue
Whenever I add a new HEC i get the following error
{
"text": "The requested URL was not found on this server.",
"code": 404
}
I have read all the docs and lots of blog posts, with no luck of how to resolve these issues
I am using google Postman and Curl run a post to my HEC
Thanks
Edson
check etc/local/inputs.conf - I've seen upgrades reset the "disabled" setting in there from 0 to 1
HEC configs are in $SPLUNK_HOME/etc/apps/splunk_httpinput
Did you check that you turned HEC back on in the Global Settings button after reinstall? I believe you can create tokens and not have the option "on".
Hi starcher
I have checked that the HEC is turned on in the global settings, I have two tokens created. But currently only the one token works and the other token gives me a 404 error - both are configured the same.
Are there any other setting that I am missing?
You can try running btool and see if it lists your other token and what app it is coming from.
splunk cmd btool --debug inputs list http