Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Index has empty data when using HEC

malikperang
Loves-to-Learn Everything
‎11-03-2020 11:28 PM

Hello 

I need an urgent help.

I created HEC data inputs. I did follow these guidelines.
https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/HECExamples

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/UsetheHTTPEventCollector

The test was success and I'm able to get 

{"text": "Success", "code": 0}

However, the index was still empty which I'm expecting it should contains the message data.

What would be the reason?

Our Splunk Deployment is like below

1 Searchead Instance

2 Indexer Instance

4 Forwarder Instance.

 

I created the HEC on Searchead via GUI.

 

Please help to advice and thanks in advance

Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2020 06:53 AM

HEC should be installed on indexers rather than search heads.  HEC on SH may work if data is forwarded to the indexers, but I've never seen it done that way.

How are you looking for the data?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

malikperang
Loves-to-Learn Everything
‎11-04-2020 08:23 PM

@richgalloway I just create the HEC on Indexer.  Success on sending data via HTTP collector but however, when I go to Monitoring Conolse > Indexing > Inputs > HTTP Event Collector: Instance , it's returns "You currently have no tokens configured" . I'm not sure how to fix this.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-05-2020 07:02 AM
When you said forwarder are you meaning UF or HF? In which instance you are sending those HEC messages?
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2020 06:25 AM

It's possible the MC is not aware of HEC tokens on indexers.  Test that by running the following command on one of the indexers.  It should return your HEC token.

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...