Hello
I need an urgent help.
I created HEC data inputs. I did follow these guidelines.
https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/HECExamples
https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/UsetheHTTPEventCollector
The test was success and I'm able to get
{"text": "Success", "code": 0}
However, the index was still empty which I'm expecting it should contains the message data.
What would be the reason?
Our Splunk Deployment is like below
1 Searchead Instance
2 Indexer Instance
4 Forwarder Instance.
I created the HEC on Searchead via GUI.
Please help to advice and thanks in advance
HEC should be installed on indexers rather than search heads. HEC on SH may work if data is forwarded to the indexers, but I've never seen it done that way.
How are you looking for the data?
@richgalloway I just create the HEC on Indexer. Success on sending data via HTTP collector but however, when I go to Monitoring Conolse > Indexing > Inputs > HTTP Event Collector: Instance , it's returns "You currently have no tokens configured" . I'm not sure how to fix this.
It's possible the MC is not aware of HEC tokens on indexers. Test that by running the following command on one of the indexers. It should return your HEC token.
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http