Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to see the log data in indexer read by HTTP Event Collector post reinstallation of Splunk package

santosh_hb
Explorer
‎06-17-2019 03:54 AM

Hi All,

Need a quick help on the below issue.

  • We had configured HTTP Event Collector to read Netflow logs on port 8088 on Splunk HF. (Splunk version was 7.2.1)
  • Token was generated and it was added on External Logger and was authenticated to connect to Splunk HF.
  • Now, for some reason we have stopped the Splunk on HF and reinstalled Splunk 7.1.6 on the same HF.
  • HTTP Event Collector configs are copied from previous configurations along with Token value.
  • Now, the data has stopped flowing into Indexer post this change.
  • Tried to check all the HTTP EVent Collector debug techniques but unable to understand the issue.
  • I even can't see any errors in internal logs coming from HF

I doubt the issue might be with Token that was created earlier. Do I need to recreate the HTTP token and reconfigure it.

Awaiting for your help.
regards,
Santosh

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎06-17-2019 06:01 AM

@santosh_hb,

Yes, each token has a unique value, which is a 128-bit number that is represented as a 32-character globally unique identifier (GUID). You have to create new token after enabling HEC as described in Configure HTTP Event Collector on Splunk Enterprise in the new installation.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-17-2019 05:59 AM

@santosh_hb,
Check below configuration if all looks good then re-create the token and use that. (As you have changed Splunk version re-creation of token is probably require)

  • In Global Settings > All Tokens is enabled.
  • Port is 8088 only.
  • Enable SSL is set to proper value that you are using on sender side.
  • Your token is enabled.

Hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...