How do I display data in Splunk that's delivered t...

mcforgerock · ‎02-26-2019

I'm running a cloud trial of Splunk and have set up an HTTP collector. Data is being delivered to the endpoint via cURL. See the following command and response:

curl -k  https://input-prd-p-lmgm59gf8vp3.cloud.splunk.com:8088/services/collector -H "Authorization: Splunk 3c95e4e7-daa7-4c57-94b9-6f9df02c16d7" -d '{"event": "hello world"}'

{"text":"Success","code":0}

Despite repeated execution of the command, the Data Summary remains blank.

Does anyone know how to display the data submitted through cURL?

woodcock · ‎03-02-2019

Try this (set Time picker to All time😞

[|tstats max(_time) AS time WHERE index=* AND TERM("hello world") BY host source sourcetype index
| format
| rex field=search mode=sed "s/time/earliest/"] hello world

Cut and paste this EXACTLY as-is.

tiagofbmm · ‎02-26-2019

If you have success, data is in Splunk. Check the index=main if it is the case that you have set HEC to index it there.

Search for source="http:<your_hec_input_name>" (index="main")

mcforgerock · ‎02-27-2019

Still, nothing even when I change the range, see screenshot below. If the system is holding data shouldn't that be reflected in the data summary? Provided a screenshot of that as well.

mcforgerock · ‎02-26-2019

Thanks for the response. I think I have this right but am still not seeing any search results.

Perhaps I'm missing something obvious?

tiagofbmm · ‎02-27-2019

Check that for AllTime, I don't know when did you ingest that dummy data and it will have the time of when you indexed it.

If still no results, is this a Single Splunk Instance?

How do I display data in Splunk that's delivered through the HTTP collector endpoint?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!