Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to see the log data in indexer read by HTTP Event Collector post reinstallation of Splunk package

santosh_hb
Explorer
‎06-17-2019 03:54 AM

Hi All,

Need a quick help on the below issue.

  • We had configured HTTP Event Collector to read Netflow logs on port 8088 on Splunk HF. (Splunk version was 7.2.1)
  • Token was generated and it was added on External Logger and was authenticated to connect to Splunk HF.
  • Now, for some reason we have stopped the Splunk on HF and reinstalled Splunk 7.1.6 on the same HF.
  • HTTP Event Collector configs are copied from previous configurations along with Token value.
  • Now, the data has stopped flowing into Indexer post this change.
  • Tried to check all the HTTP EVent Collector debug techniques but unable to understand the issue.
  • I even can't see any errors in internal logs coming from HF

I doubt the issue might be with Token that was created earlier. Do I need to recreate the HTTP token and reconfigure it.

Awaiting for your help.
regards,
Santosh

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎06-17-2019 06:01 AM

@santosh_hb,

Yes, each token has a unique value, which is a 128-bit number that is represented as a 32-character globally unique identifier (GUID). You have to create new token after enabling HEC as described in Configure HTTP Event Collector on Splunk Enterprise in the new installation.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-17-2019 05:59 AM

@santosh_hb,
Check below configuration if all looks good then re-create the token and use that. (As you have changed Splunk version re-creation of token is probably require)

  • In Global Settings > All Tokens is enabled.
  • Port is 8088 only.
  • Enable SSL is set to proper value that you are using on sender side.
  • Your token is enabled.

Hope this helps!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...