I configured HTTP Event Collector and am trying to test it with:
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*" -d '{"event": "hello world"}'
error: {"text"."Invalid token","code"4}
I also tried:
curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*" -d "{\"event\":\"hello world\"}"
and I get response curl: (52) Empty reply from server
Running Windows Server 2012 R2
Why is this not working?
Give this a try (verify the token value is correct and same as what you generated in Splunk)
curl -k https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111' -d '{"event": "hello world"}'
If you are using deploment server to create the token and push it to your heavy forwarders where it should be actually authenticate then you have to:
1. To make sure you change useDeploymentServer flag to true as below.
useDeploymentServer = 1
When this option is set to 1 and you make UI-based HEC changes on the deployment server, those changes are placed directly in the $SPLUNK_HOME/etc/deployment-apps/splunk_httpinput/ folder, rather than in $SPLUNK_HOME/etc/apps/folder.
Because if your inputs changes is there in the $SPLUNK_HOME/etc/apps/<anyapp>/inputs.conf on deployment server and also in your Heavy forwarder . Then the rest/curl call to token will end up in Invalid token response code 4.
How did you create your token? Did you manually add a stanza to conf? If so which conf file, and can you show the stanza?
If you log into the Splunk UI and go to Settings->Data Inputs->HTTP Event Collector does your token show in the list?
Give this a try (verify the token value is correct and same as what you generated in Splunk)
curl -k https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111' -d '{"event": "hello world"}'