Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk HEC Data Ingestion Issue from Azure Web Apps to Customer Cloud Instance

coddydaddy88
Explorer
a week ago

Environment

  • Sending from: Azure Web Apps (Kudu CLI)
  • Target: Two Splunk instances
    1. Personal trial Splunk (working)
    2. Customer's Splunk Cloud (not receiving data)

Problem Description

I am attempting to send log data to two different Splunk HTTP Event Collector (HEC) endpoints from an Azure Web Apps environment. I am using identical cURL commands for both:

Working Splunk Instance (Trial)

curl -k "https://[TRIAL_SPLUNK_HEC_URL]/services/collector/event" \
     -H "Authorization: Splunk [REDACTED_TOKEN]" \
     -d '{ "event": { ... }, "sourcetype": "_json", "index": "[TRIAL_INDEX]" }'

Non-Working Splunk Instance (Customer Cloud)

curl -k "https://[CUSTOMER_SPLUNK_HEC_URL]/services/collector/event" \
     -H "Authorization: Splunk [REDACTED_TOKEN]" \
     -d '{ "event": { ... }, "sourcetype": "_json", "index": "[CUSTOMER_INDEX]" }'

Observations

  • Identical cURL command structure.
  • For both Splunk instances, the cURL command on the CLI returns {"text":"Success","code":0}
  • Despite the success response, data is successfully ingested into my personal trial Splunk instance, but no data appears in the customer's Splunk Cloud instance.

Questions

  1. Given that the CLI returns "Success" for both, what could be preventing the data from appearing in the customer's Splunk Cloud instance?
  2. What additional troubleshooting steps can verify HEC configuration and permissions on the customer's Splunk Cloud?
  3. Could this issue be related to specific user role permissions or privileges, as I have been granted only limited access by the customer? Are there particular Splunk roles or permissions required for HEC token usage that might be missing?

Attempted Troubleshooting

  • Verified correct HEC URL for both instances.
  • Confirmed valid HEC tokens for both instances.
  • Checked general network connectivity from the Azure Web Apps environment.
  • Validated JSON payload structure.

Any guidance on identifying and resolving this selective data ingestion issue, especially considering the "Success" response from the CLI would be greatly appreciate

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

coddydaddy88
Explorer
Tuesday

@livehybrid @PickleRick @kiran_panchavat Thank you so much for the responses and suggestions.  Albeit the issue was solved.

It turned out to be a rather funny situation! The data was actually being ingested into Splunk, as indicated by the 200 status code I was receiving for both the trial and customer Splunk instances. This aligns with what @PickleRick mentioned about the HEC endpoint returning 200 if it received the events properly

The problem was resolved when I tried double quotes when searching in Splunk (i.e., index="index_name" instead of index='index_name')🤦‍♂️ Once I did that, the data immediately became visible. I had the necessary access all along; it was a simple search syntax oversight.

I will also take note of @PickleRick 's advice regarding not using the _json sourcetype, as it's considered a bad practice. Thank you all again for your valuable insights!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

coddydaddy88
Explorer
Tuesday

@livehybrid @PickleRick @kiran_panchavat Thank you so much for the responses and suggestions.  Albeit the issue was solved.

It turned out to be a rather funny situation! The data was actually being ingested into Splunk, as indicated by the 200 status code I was receiving for both the trial and customer Splunk instances. This aligns with what @PickleRick mentioned about the HEC endpoint returning 200 if it received the events properly

The problem was resolved when I tried double quotes when searching in Splunk (i.e., index="index_name" instead of index='index_name')🤦‍♂️ Once I did that, the data immediately became visible. I had the necessary access all along; it was a simple search syntax oversight.

I will also take note of @PickleRick 's advice regarding not using the _json sourcetype, as it's considered a bad practice. Thank you all again for your valuable insights!

0 Karma
Reply
Solved! Jump to solution

coddydaddy88
Explorer
a week ago

@PickleRick @kiran_panchavat Thank you for you responses.

Another possible cause I am thinking is that , maybe the Customer side HEC might not have the specified index in the allowed indexes.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
a week ago

Hi @coddydaddy88 

You can test that your HEC token is working with the remote Splunk instance with the health endpoint, it should provide the following response:

{"text":"HEC is healthy","code":17}

 https://yoursplunkinstance/services/collector/health?token=31a1735d-2ba6-48bd-9098-cadcf9001f63

(Update token accordingly) 

This doesnt confirm the index is correct thought, as @PickleRick mentioned, it will return a 400 status if the index is not permitted. See https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/TroubleshootHTTPEventCollector#:~:text=JSON%... for more info on status codes for HEC.

Can you do the following search, do you get any errors? 

index=_internal HttpInputDataHandler reply=*

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
a week ago

As I wrote - if I remember correctly, if you post an event for an index you're not allowed you should get 400, not 200.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
a week ago

1. Do not use the default _json sourcetype. It has nothing to do with the problem at hand but it's a bad practice.

2. Generally, your reasoning is ok - as the HEC endpoint returns 200 that means that it received the event(s) properly and starts processing them. That doesn't mean anything beyond that.

I'm not sure but I suppose if you were sending data to an index your token does not have access to, you should be getting a 400 instead of 200 - see https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/TroubleshootHTTPEventCollector#Possible_erro...

So your end seems ok.

But there could be some routing/filtering happening on the receiving side.

Or you might not have access to the index(es) as a user (Splunk will not throw any error at you; it will just say "no results").

Or you might be searching at wrong point in time (you seem to be sending events without explicit timestamp. The timestamp will not be parsed out from the event.)

Reply
Solved! Jump to solution

kiran_panchavat
Champion
a week ago

@coddydaddy88

  • Confirm that [CUSTOMER_INDEX] exists.
  • Ensure your user role has read access to that index.
  • Please check internal logs
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

kiran_panchavat
Champion
a week ago

@coddydaddy88 

Splunk Cloud may have an IP allow list configured, restricting HEC requests to specific IPs. If the Azure Web Apps outbound IP addresses are not included, requests may be accepted but not processed

https://splunk.my.site.com/customer/s/article/Unable-to-ingest-data-though-the-HEC-token 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...