I got the following error a lot: "ERROR HttpInputDataHandler - Parsing error : No data"
I guess it is related to HEC but I don't understand it nor find info about it.
Would anyone know more about this error?
I believe these can be safely ignored as "keep alive" calls from firehose/load balancers checking the connection but not sending data.
Putting in docs feedback on troubleshooting hec and firehose docs for future reference
@mattymothis happened to us as well, but only when we moved to a load balancer in front of our indexers. Our previous step, which was HEC on a heavy forwarder, we never had this issue. Do you know if this is specific to load balanced HEC?
Bumping this issue.
We currently leverage AWS Kinesis firehose to ingest log data via HEC. We recently started to see an increase number of "no data" errors reported via the Splunk HEC endpoint.
However log data appears to continue to function as expected.
Figure out which configured HEC-Stanza generate the errors via "Monitoring Console --> Indexing --> Input --> HTTP Event Collector: Deployment" and check the configuration on source side.
The incoming requests from the affected source are not valid and can't be handled in a correct way by Splunk.
Thanks @Paul1896 ! I had not checked that way.
There is no invalid request.
But there are some 'parser errors'. The cool thing is that you can browse 'parser errors' by token. But like I said in the comment above, it matches plenty tokens not just one or two. Plus these tokens are OK, I mean there is data indexed through them, not no data at all.
So I am wondering what are these 'parser errors' ? I mean, from the logs, it does not seem to be timestamp issues.
On my heavy forwarder i cant see this Monitoring console as the logs are not storing in local machine. however on the indexer i do not have monitoring console. Is there any other way to verify this?
I actually got this below error and stopped ingesting logs since then. I dont see any more errors also related to this hec data input in the logs after 8.30. there are other inputs working fine. and fyi i copied this splunk_httpinput folder from my old splunk instance to new splunk instance to avoid recreating all the tokens i had earlier. does this makes any issues ?
01-21-2020 07:36:24.170 +0000 ERROR HttpInputDataHandler - Failed processing http input, token name=OpenBankingAggregateProd, channel=48C994DD-C1F5-462F-BAED-FC00694CF173, source_IP=10.84.31.115, reply=9, events_processed=0, http_input_body_size=2980144
component = HttpInputDataHandlereventtype = splunkd-loghost = ip-10-84-17-157http_input_body_size = 2980144log_level = ERRORmessage = Failed processing http input, token name=OpenBankingAggregateProd, channel=48C994DD-C1F5-462F-BAED-FC00694CF173, source_IP=10.84.31.115, reply=9, events_processed=0, http_input_body_size=2980144
Now In 7.3.4, we still have the "Parsing error : No data" error.
We now have more detailed errors in splunkd logs :
02-21-2020 10:35:22.634 +0000 ERROR HttpInputDataHandler - Failed processing http input, token name=, channel=, source_IP=22.214.171.124, reply=5, events_processed=0, http_input_body_size=0
It still being generated for multiple HEC inputs, which are working (data being ingested, no invalid token or other significant errors).
And we still do not understand why it is being generated 😕
hi @D2SI , Even i am getting these errors, but i started noticing when i upgraded splunk from 7.0.1 to 8.0.0 and copied the same splunk_httpinput app from the old instance to new instance. Is it same case with you. are you seeing this errors after the upgrade?
Hi @srinikrishna, same here, upgraded from 7.0.x from 7.2.8, then started noticing the errors. I have activated DEBUG and I believe these errors match this kind of messages indicating that no data was processed:
01-21-2020 21:35:51.653 +0000 DEBUG HttpInputDataHandler - handled token: <token>, channel: <channel>, source IP: <ip>, reply: 9, processed: 0, http input body size: 679733
But I can see these processed: 0 messages for plenty of tokens, most of them working fine and indexing data so I am confused how to interpret this.