Solved: Http Event Collector output not being indexed?

arun_kant_sharm · ‎06-24-2019

Hi Experts,
I configured HEC input, after that I run curl command using that token, it returns {"text":"Success","code":0}.
But no event comes into my INDEX.
Any suggestions on how to proceed?
Thanks in advance.

harsmarvania57 · ‎06-25-2019

Hi,

Can you please change sourcetype from _json to json_no_timestamp for "test" token and try again?

View solution in original post

harsmarvania57 · ‎06-25-2019

Hi,

Can you please change sourcetype from _json to json_no_timestamp for "test" token and try again?

arun_kant_sharm · ‎06-25-2019

Thanks, its working 🙂

harsmarvania57 · ‎06-25-2019

Great, I have converted my comment to answer so you can accept it.

renjith_nair · ‎06-25-2019

@arun_kant_sharma,

Have you searched in the default index which you have configured while creating the token ?

---
What goes around comes around. If it helps, hit it with Karma 🙂

arun_kant_sharm · ‎06-25-2019

Actually I created the HEC input in a Index(Test) , so nothing is come in default index.

renjith_nair · ‎06-25-2019

Even for "All Time" time range?

---
What goes around comes around. If it helps, hit it with Karma 🙂

Http Event Collector output not being indexed?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation