Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Different authentications for HEC Token

lqiao
Explorer
‎01-02-2018 02:23 PM

Hi,

I am following this online doc to test the three authentication for HEC tokens: http://dev.splunk.com/view/event-collector/SP-CAAAE7G. I don't understand why only HTTP authentication works while the other two gave different errors. Is it a permission issue? Please help. Thank you.

HTTP Authentication:
Command: curl -k http://hostname:8088/services/collector -H 'Authorization: Splunk tokenId' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Success","code":0}

Basic Authentication:
Command: curl -k -u "x:tokenID" http://hostname:8088/services/collector -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Invalid authorization","code":3}

Query String:
Command: curl -k http://hostname:8088/services/collector/event?token=tokenId -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Token is required","code":2}

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

outcoldman
Communicator
‎01-03-2018 08:38 AM

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

outcoldman
Communicator
‎01-03-2018 08:38 AM

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

0 Karma
Reply
Solved! Jump to solution

lqiao
Explorer
‎01-04-2018 03:07 PM

Hi outcoldman,

You are correct. I'd like to amend something to your answers after my testing. It is not your mistake. It is a Splunk doc issue.

Even in this doc http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth, it says that "Basic authentication and query string authentications are new features in Splunk 6.4 and above.", basic and query string authentications are not working on Splunk 6.4.3, see the result in my question.

I tested on Splunk 6.5.6 (latest 6.5 version), basic authentication is working here. Query string authentication gave {"text":"Token is required","code":2} error, meaning that it is not supported on 6.5 version.

I tested also on Splunk 6.6.5 (latest 6.6 version), both basic authentication and query string authentication are supported. 6.6.0 is the first version supporting configuration allowQueryStringAuth. Splunk doc says by default, allowQueryStringAuth = false, so result: {"text":"Query string authorization is not enabled","code":16}. After setting it to true, result is {"text":"Success","code":0}. This setting is not visible in the default inputs.conf.

0 Karma
Reply
Solved! Jump to solution

outcoldman
Communicator
‎01-04-2018 05:24 PM

I have updated my answer, thank you for clarification!

0 Karma
Reply
Solved! Jump to solution

outcoldman
Communicator
‎01-02-2018 10:26 PM

Which Splunk version are you using? I believe another two were added later, not on the initial release.

Reply
Solved! Jump to solution

lqiao
Explorer
‎01-03-2018 08:28 AM

Thank you. I am using Splunk 6.4.3. I can test with higher version today.

0 Karma
Reply
Solved! Jump to solution

outcoldman
Communicator
‎01-03-2018 08:35 AM

Actually docs say that it should be available with 6.4.x http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth

0 Karma
Reply
Solved! Jump to solution

lqiao
Explorer
‎01-03-2018 08:38 AM

Looking at the example, it mentions:

Using Basic auth (6.5.0 and later only)

wrong in the doc?

0 Karma
Reply
Solved! Jump to solution

outcoldman
Communicator
‎01-03-2018 05:31 PM

Seems like somewhere is a mistake, please send a feedback

0 Karma
Reply
Solved! Jump to solution

lqiao
Explorer
‎01-04-2018 03:09 PM

I never hear my feedback back. I did more testing and added comment to your answer. Thanks for your answer. I don't want to accept it directly as the version part might confuse other people. It is not your mistake. My comment is being reviewed by the moderator.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...