Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- POST HTTP event to splunk : call not properly aut...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
POST HTTP event to splunk : call not properly authenticated- Why am I getting this?
Trying to POST events to splunk using HTTP. This local on prem splunk installation.
For now I am getting this -
rsarode-mac:splunk rugvedsarode$ curl -k -H "Authorization: Splunk <MY-TOKEN-ID> https://localhost:8001/services/collector/event -d '{"event":"hello world"}'
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN">call not properly authenticated</msg>
</messages>
</response>
I saw this but it did not help - https://answers.splunk.com/answers/406291/using-java-to-make-a-rest-api-call-to-splunk-why-a.html?ut...
I even tried to add "-u admin:". But still same issue.
Note my - mgmtHostPort = 127.0.0.1:8001
Furthermore, what is the corresponding header key value for curl "-k" option? Like we have
Content-Type: text/xml; OR
Connection: Keep-Alive;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had this same issue. There is a global settings button in the top right hand corner of the HTTP Event Collector screen. You may have a little warning symbol up there that states that you need to enable HEC within Global Settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I experienced the same problem and did the following to solve it:
- Enable the http collector: "You enable it in self-service Splunk Cloud by going to Settings > Data Inputs > HTTP Event Collector > Global Settings, and then clicking Enabled"
- Create a http collector token.
- Restart splunk
- The following curl command then worked: curl -k -H "Authorization: Splunk " https://localhost:8088/services/collector/evenrcetype", "event": "http auth ftw!"}'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the curl command in #4 is malformed... opening curly is missing, auth token? or it should be empty?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
