Is there an error in the documentation? My tests ...

mark-jones · ‎09-20-2022

According to my tests the Authorization header should not have a space between the colon and splunk keyword. It should be "Authorization:Splunk ###-####..." and not "Authorization: Splunk ###-####..."

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/FormateventsforHTTPEventCollector

In other words this works:

curl -k https://prd-p.splunkcloud.com:8088/services/collector -H "Authorization:Splunk ###-######" -d "{\"sourcetype\":\"_json\",\"index\": \"job1\",\"event\": {\"a\": \"value1\", \"b\": [\"value1\", \"value1\"]}}"

Whereas this does not work:

curl -k https://prd-p.splunkcloud.com:8088/services/collector -H "Authorization: Splunk ###-######-b680-72c7bd33f9bb" -d "{\"sourcetype\":\"_json\",\"index\": \"job1\",\"event\": {\"a\": \"value1\", \"b\": [\"value1\", \"value1\"]}}"

isoutamo · ‎09-21-2022

Hi

this

-H "Authorization: Splunk eae66351-aaaa-1111-2222-2787781f501f"

works as documentation said. Actually you can use it with or without that space between : and Splunk.

What I have earlier seen, is that in some OS (like windows) and/or some shell configurations will generate some confusion with sending event with curl to HEC. Especially when you are surrounding event with " instead of '. In this first case you must do some escape for " on json field names and values and there are situation when this can leads to unwanted situation.

r. Ismo

richgalloway · ‎09-20-2022

Submit this message as feedback on the relevant Docs page.

---
If this reply helps you, Karma would be appreciated.

mark-jones · ‎09-20-2022

Done.

Is there an error in the documentation? My tests indicate the document is not correct when using curl.

HTTP Event Collector

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann