We have akamai Cloud Monitor App installed on the Splunk. IT used to work when we we were using the Splunk Trial version; later on we purchased 200Gb licensing but I am not able to find any events for the last 6 months. The last time, it generated logs when we had the trial version. We already have the Http EventCollector setup on the Heavy Forwarder. I can see that it is enabled from the HF. Is there any way we can check or enable it so that it starts indexing new logs and display the newer results.
Hi,
The best way to check if the akamai logs are ingesting to Splunk or not is to run a curl command on your Splunk HF where HEC is enabled. This will indicate if HEC input is working correctly or not in first place.
Example:
curl -k http://splunkHFserver1:8088/services/collector/event -H "Authorization: Splunk xxxxxxxxxxxxxxxxxxxxxxxxxxx" -d '{"sourcetype": "akamai:cm:json", "event": "TEST-EVENT-1"}'
{"text":"Success","code":0}
You should see a success message with Error code 0.
if there are errors then check the SSL version used by Akamai and set cipherSuite setting accordingly in $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf
Check if the version used by Akamai CM is compatible with your Splunk Version or not.
Hope this info helps.
Thanks,
Sai Appali