Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Http Event Collector CURL errors with {"text":"Invalid token","code":4} or "Empty reply from server" using Windows

sfortier99
Engager
‎08-05-2016 01:29 PM

I configured HTTP Event Collector and am trying to test it with:

curl -k  https://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*"  -d '{"event": "hello world"}'
error:  {"text"."Invalid token","code"4}

I also tried:

curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*" -d "{\"event\":\"hello world\"}"

and I get response curl: (52) Empty reply from server

Running Windows Server 2012 R2

Why is this not working?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-05-2016 01:51 PM

Give this a try (verify the token value is correct and same as what you generated in Splunk)

curl -k  https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111'  -d '{"event": "hello world"}'

View solution in original post

Reply
Solved! Jump to solution

KrishatSplunk
Loves-to-Learn
‎05-02-2022 09:41 AM

If you are using deploment server to create the token and push it to your heavy forwarders where it should be actually authenticate then you have to:
1. To make sure you change useDeploymentServer flag to true as below.

 

useDeploymentServer = 1

 

When this option is set to 1 and you make UI-based HEC changes on the deployment server, those changes are placed directly in the $SPLUNK_HOME/etc/deployment-apps/splunk_httpinput/ folder, rather than in $SPLUNK_HOME/etc/apps/folder. 

Because if  your inputs changes is there in the $SPLUNK_HOME/etc/apps/<anyapp>/inputs.conf  on deployment server and also in your Heavy forwarder . Then the rest/curl call to token will end up in Invalid token response code 4.

 

0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎08-15-2016 10:40 PM

How did you create your token? Did you manually add a stanza to conf? If so which conf file, and can you show the stanza?

If you log into the Splunk UI and go to Settings->Data Inputs->HTTP Event Collector does your token show in the list?

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-05-2016 01:51 PM

Give this a try (verify the token value is correct and same as what you generated in Splunk)

curl -k  https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111'  -d '{"event": "hello world"}'
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...