- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Sending Post to HEC (Splunk Cloud) not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sending Post to HEC (Splunk Cloud) not working
Hi,
I've created my Data Input, enabled what needs to be enabled. The PUT works, and I get a Success response. However, when I try to search the activity logs using: source="http:", I get ZERO results.
curl -k :8088/services/collector -H "Authorization: Splunk XXXXXXXXXXXXXXXXX" -d '{"event": "hello world"}'
{"text":"Success","code":0}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @codysysdig
If you are sending the events via HEC curl then you can search the events from that particular HEC token via:
Query:
source="http:https input name"
Example:
If you have created HEC token with name "test123" and you are sending any event via mentioning the token ID in curl command then you can search event for test123 via :
source="http:test123"
Thanks,
Dixit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should always ALWAYS specify input= in your search string. NEVER EVER rely on indexes searched by default because this can change arbitrarily at any moment. So if you are specifying index=summary in your HEC token definition and the events show up when you do index=summary then you actually do not have a problem. Is this your situation?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the index value tied to your HEC token actually exist? Are you doing an All time search on your sourcetype (sometimes events get mis-timestamped and end up in the future or way in the past)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I've tried changing the time scale.
What I dont understand is why I can not see anything with source="http:inputname" but when I add index="summary", I can see my manual PUTs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the sourcetype you configured for HEC input ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At first, I did not select one. Then I set it to _json, either way, I dont get results back on the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please change sourcetype from _json to json_no_timestamp and try again?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
