Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Http Event Collector CURL errors with {"text":"Invalid token","code":4} or "Empty reply from server" using Windows

sfortier99
Engager
‎08-05-2016 01:29 PM

I configured HTTP Event Collector and am trying to test it with:

curl -k  https://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*"  -d '{"event": "hello world"}'
error:  {"text"."Invalid token","code"4}

I also tried:

curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*" -d "{\"event\":\"hello world\"}"

and I get response curl: (52) Empty reply from server

Running Windows Server 2012 R2

Why is this not working?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-05-2016 01:51 PM

Give this a try (verify the token value is correct and same as what you generated in Splunk)

curl -k  https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111'  -d '{"event": "hello world"}'

View solution in original post

Reply
Solved! Jump to solution

KrishatSplunk
Loves-to-Learn
‎05-02-2022 09:41 AM

If you are using deploment server to create the token and push it to your heavy forwarders where it should be actually authenticate then you have to:
1. To make sure you change useDeploymentServer flag to true as below.

 

useDeploymentServer = 1

 

When this option is set to 1 and you make UI-based HEC changes on the deployment server, those changes are placed directly in the $SPLUNK_HOME/etc/deployment-apps/splunk_httpinput/ folder, rather than in $SPLUNK_HOME/etc/apps/folder. 

Because if  your inputs changes is there in the $SPLUNK_HOME/etc/apps/<anyapp>/inputs.conf  on deployment server and also in your Heavy forwarder . Then the rest/curl call to token will end up in Invalid token response code 4.

 

0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎08-15-2016 10:40 PM

How did you create your token? Did you manually add a stanza to conf? If so which conf file, and can you show the stanza?

If you log into the Splunk UI and go to Settings->Data Inputs->HTTP Event Collector does your token show in the list?

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-05-2016 01:51 PM

Give this a try (verify the token value is correct and same as what you generated in Splunk)

curl -k  https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111'  -d '{"event": "hello world"}'
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...