Getting Data In
Highlighted

Splunk Cloud Trial and Http Event Collector - NOT WORKING

Contributor

I have the 15 day trial version of Splunk Cloud. The Http Event Collector documentation http://dev.splunk.com/view/event-collector/SP-CAAAE7F says: Note: To turn on HTTP Event Collector in Splunk Cloud, file a request ticket with Splunk Support.

Since this is a trial version I am not allowed to submit a support ticket. How do I get Http Event Collector enabled?

Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Splunk Employee
Splunk Employee

Hi @simpkins1958.

You can now enable HTTP Event Collector yourself in Trial / Single Instance. Go to Settings->Data Inputs->HTTP Event Collector from there you can enable the collector and create a token.

In order to create requests, you need to prefix the URI of your cloud instance with "input-", i.e. see the curl below

curl -k https://input-prd-p-j65vnzzl9wc8.cloud.splunk.com:8088/services/collector -H 'Authorization: Splunk  498FEC9B-86E2-4CD0-B489-4A55E2D52B07' -d '{"event":"event1"} {"event":"event2"}'

Notice I've added "input-" then the instance. Also the port + /services/collector endpoint are there.

As a side note, Splunk Cloud trial uses a self-signed cert, so you need to disabled cert validation if using HTTPS which is what the '-k' switch does with curl.

Let me know if you have any issues.

Thanks
Glenn

View solution in original post

Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Contributor

Thanks Glenn. I added the prefix and postfix and I am able to get it to work with curl. But it is not working when using from our C# code using our version of Splunk.Logging.Common. HTTPS is working fine from our C# code when sending data to an on prem instance of Splunk, but not Splunk Cloud. I will keep investigating.

0 Karma
Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Contributor

And we have disabled cert validation using:

            ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) =>
            {
                return true;
            };
0 Karma
Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Contributor

InnerException is:

  • InnerException {"The request was aborted: Could not create SSL/TLS secure channel."} System.Exception {System.Net.WebException}
0 Karma
Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Splunk Employee
Splunk Employee

Try setting the security policy to use TLS.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
0 Karma
Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Contributor

Tried setting the security policy to use TLS still not working with Splunk Cloud.

Tried again with my local Splunk server using HTTPS and working fine.

I set a break point in ServerCertificateValidationCallback, which is never getting hit when trying to send to Splunk Cloud but is getting hit when sending to local Splunk Server.

0 Karma
Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Contributor

Based on some googling around I also tried:

            ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Also not working.

0 Karma
Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Splunk Employee
Splunk Employee

It sounds like this is a .NET related issue based on the fact that you can successfully curl. Can you try using HttpClient directly and see if you are able to send data?

0 Karma
Highlighted

Re: Splunk Cloud Trial and Http Event Collector - NOT WORKING

Splunk Employee
Splunk Employee

I am going to do a test against a trial instance we just deployed and see if that works.

0 Karma