Getting Data In

How do I display data in Splunk that's delivered through the HTTP collector endpoint?

New Member

I'm running a cloud trial of Splunk and have set up an HTTP collector. Data is being delivered to the endpoint via cURL. See the following command and response:

curl -k  https://input-prd-p-lmgm59gf8vp3.cloud.splunk.com:8088/services/collector -H "Authorization: Splunk 3c95e4e7-daa7-4c57-94b9-6f9df02c16d7" -d '{"event": "hello world"}'

{"text":"Success","code":0}

Despite repeated execution of the command, the Data Summary remains blank.
alt text

Does anyone know how to display the data submitted through cURL?

0 Karma

Esteemed Legend

Try this (set Time picker to All time😞

[|tstats max(_time) AS time WHERE index=* AND TERM("hello world") BY host source sourcetype index
| format
| rex field=search mode=sed "s/time/earliest/"] hello world

Cut and paste this EXACTLY as-is.

0 Karma

Influencer

If you have success, data is in Splunk. Check the index=main if it is the case that you have set HEC to index it there.

Search for source="http:<your_hec_input_name>" (index="main")

0 Karma

New Member

Still, nothing even when I change the range, see screenshot below. If the system is holding data shouldn't that be reflected in the data summary? Provided a screenshot of that as well.

alt text

alt text

0 Karma

New Member

Thanks for the response. I think I have this right but am still not seeing any search results.

alt text

alt text

Perhaps I'm missing something obvious?

0 Karma

Influencer

Check that for AllTime, I don't know when did you ingest that dummy data and it will have the time of when you indexed it.

If still no results, is this a Single Splunk Instance?

0 Karma