Getting Data In

HTTP event collector 404 error

evanwyk11
Engager

Good Day

I've got two issues with my HTTP event collector.

1st issue:
I created an event collector when I installed Splunk 6.3, that worked fine I since then upgraded to splunk 6.5 - I then deleted my event collector but was still able to POST to the URL

I then uninstalled splunk from my server, and installed it from scratch but still experienced the issue above, Does anyone know where I could look to see why the HEC configurations still remain

2nd Issue
Whenever I add a new HEC i get the following error
{
"text": "The requested URL was not found on this server.",
"code": 404
}

I have read all the docs and lots of blog posts, with no luck of how to resolve these issues

I am using google Postman and Curl run a post to my HEC

Thanks

Edson

andrewjgriffin
Engager

check etc/local/inputs.conf - I've seen upgrades reset the "disabled" setting in there from 0 to 1

0 Karma

starcher
SplunkTrust
SplunkTrust

HEC configs are in $SPLUNK_HOME/etc/apps/splunk_httpinput
Did you check that you turned HEC back on in the Global Settings button after reinstall? I believe you can create tokens and not have the option "on".

0 Karma

evanwyk11
Engager

Hi starcher

I have checked that the HEC is turned on in the global settings, I have two tokens created. But currently only the one token works and the other token gives me a 404 error - both are configured the same.
Are there any other setting that I am missing?

0 Karma

starcher
SplunkTrust
SplunkTrust

You can try running btool and see if it lists your other token and what app it is coming from.

splunk cmd btool --debug inputs list http

0 Karma