How do I display data in Splunk that's delivered t...

mcforgerock · ‎02-26-2019

I'm running a cloud trial of Splunk and have set up an HTTP collector. Data is being delivered to the endpoint via cURL. See the following command and response:

curl -k  https://input-prd-p-lmgm59gf8vp3.cloud.splunk.com:8088/services/collector -H "Authorization: Splunk 3c95e4e7-daa7-4c57-94b9-6f9df02c16d7" -d '{"event": "hello world"}'

{"text":"Success","code":0}

Despite repeated execution of the command, the Data Summary remains blank.

Does anyone know how to display the data submitted through cURL?

woodcock · ‎03-02-2019

Try this (set Time picker to All time😞

[|tstats max(_time) AS time WHERE index=* AND TERM("hello world") BY host source sourcetype index
| format
| rex field=search mode=sed "s/time/earliest/"] hello world

Cut and paste this EXACTLY as-is.

tiagofbmm · ‎02-26-2019

If you have success, data is in Splunk. Check the index=main if it is the case that you have set HEC to index it there.

Search for source="http:<your_hec_input_name>" (index="main")

mcforgerock · ‎02-27-2019

Still, nothing even when I change the range, see screenshot below. If the system is holding data shouldn't that be reflected in the data summary? Provided a screenshot of that as well.

mcforgerock · ‎02-26-2019

Thanks for the response. I think I have this right but am still not seeing any search results.

Perhaps I'm missing something obvious?

tiagofbmm · ‎02-27-2019

Check that for AllTime, I don't know when did you ingest that dummy data and it will have the time of when you indexed it.

If still no results, is this a Single Splunk Instance?

How do I display data in Splunk that's delivered through the HTTP collector endpoint?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life