Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there an error in the documentation? My tests indicate the document is not correct when using curl.

mark-jones
Explorer
‎09-20-2022 07:12 AM

According to my tests the Authorization header should not have a space between the colon and splunk keyword.  It should be "Authorization:Splunk ###-####..." and not "Authorization:  Splunk ###-####..."

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/FormateventsforHTTPEventCollector

In other words this works:

curl -k https://prd-p.splunkcloud.com:8088/services/collector -H "Authorization:Splunk ###-######" -d "{\"sourcetype\":\"_json\",\"index\": \"job1\",\"event\": {\"a\": \"value1\", \"b\": [\"value1\", \"value1\"]}}"

Whereas this does not work:

curl -k https://prd-p.splunkcloud.com:8088/services/collector -H "Authorization: Splunk ###-######-b680-72c7bd33f9bb" -d "{\"sourcetype\":\"_json\",\"index\": \"job1\",\"event\": {\"a\": \"value1\", \"b\": [\"value1\", \"value1\"]}}"

markjones_0-1663682704498.png

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-21-2022 01:52 AM

Hi

this 

-H "Authorization: Splunk eae66351-aaaa-1111-2222-2787781f501f"

works as documentation said. Actually you can use it with or without that space between : and Splunk.

What I have earlier seen, is that in some OS (like windows) and/or some shell configurations will generate some confusion with sending event with curl to HEC. Especially when you are surrounding event with " instead of '. In this first case you must do some escape for " on json field names and values and there are situation when this can leads to unwanted situation.

r. Ismo

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2022 08:11 AM

Submit this message as feedback on the relevant Docs page.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mark-jones
Explorer
‎09-20-2022 08:41 AM

Done.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...