Getting Data In

Splunk Enterprise trial - Http Event Collector not working

henbarlevi
Engager

I've installed the splunk enterprise trial. i've enabled the HEC feature as described here http://dev.splunk.com/view/event-collector/SP-CAAAE7F which enable to send machine data from my app into splunk. I tried to send a POST request using postman to splunk and got no response.

method: POST
url : http://localhost:8088/services/collector
Authorization : my generated token

why there is no response if i already enabled the HEC feature. it seems that no server listen on that port at all

what i don't understand about splunk is - where is my data stored? is data for SPLUNK ENTERPRISE stored only locally and should be in use inside companies LAN network ? or splunk own servers in the cloud that stored all my data? is Splunk Enterprise and Splunk Cloud have differences on that subject?

thank you for your help.

anjambha
Communicator

hello, This issue may be due to url.. try http://localhost:8088/services/collector/raw

OR

refer below steps for Splunk Enterprise version :

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/UsetheHTTPEventCollector

Create an Event Collector token
To use HEC, you must configure at least one token.

Click Settings > Data inputs
Click HTTP Event Collector.
click New Token
Enter name=abc
click next
click Create a new index
Enter Index Name=abc
from dropdown select abc i.e default index =abc
same way select abc from Select Allowed Indexes option
click review
click submit
keep that Token Value with you ..

Enable HTTP Event Collector
Click Settings > Data Inputs.
Click HTTP Event Collector.
Click Global Settings.
click Enabled
then clear all checked boxes and select default index =abc
click save

Now go to Postman :

Select POST method
url : http://localhost:8088/services/collector/raw
select Headers tab : key =Authorization and value = Splunk <your token>
in the body tab : select raw and write your message
click send

Now in the splunk search for : index="abc"

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...