Hi,
I'm very new to splunk and have signed up for a trial account and am looking to connect with HTTP Event Collector using simple Curl commands.
Following the docs here : https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Data/UsetheHTTPEventCollector
I've set up my new token using the default configuration. I'm certain I'm using the managed service as I don't have any access to global settings.
According to the above docs to make calls using curl the endpoint is <protocol>://http-inputs-<host>:<port>/<endpoint> however I can't get anything other than curl: (6) Could not resolve host: http-inputs-<hostname>.splunkcloud.com
Do I need to enable something in my account so this host becomes available?
I'm using my login URL (from the screenshot below) as the hostname. That is correct yes?
https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
Splunk Enterprise and Self-service Splunk Cloud
curl -k https://hec.splunk.com:8088/services/collector/event -H "Authorization: Splunk B5A89CAD-D842-46CC-80A1-017F83D7CFB2" -d '{"event": "hello world"}'
hope you have created New token using settings - > Data Inputs -> HTTP event collector
you are getting error because you are using wrong URL. use the one splunk has provided.
for example : if they have provided URL prd-abcd.splunkcloud.com your curl statement would be
curl -k https://prd-abcd.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk yourtoken" -d '{"event": "hello world"}'
Note: replace yourtoken with token you get from you splunkcloud instance.
don't enable Indexer acknowledgement in HEC settings while testing it from curl. if it's enabled you may get an error like below:
{"text":"Data channel is missing" ,"code":10}
But this url is not working for docker using de logs driver. That's because the certificate used in https://prd-abcd.splunkcloud.com:8088 is not the same used in port 443 and the valid one in https://prd-abcd.splunkcloud.com
This leads to a problem running the docker driver like this one:
ERROR: for <service-name> Cannot start service <service-name>: failed to initialize logging driver: Options https://prd-p-xxxxx.splunkcloud.com:8088/services/collector/event/1.0: x509: certificate is valid for SplunkServerDefaultCert, not prd-p-xxxxx.splunkcloud.com
Thanks for the help guys. Feels like I'm getting closer as no longer getting host not resolve but still getting this as a return:
<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta http-equiv="refresh" content="1;url=https://prd-p-xxxxx.splunkcloud.com/en-US/services/collector/event"><title>303 See Other</title></head><body><h1>See Other</h1><p>The resource has moved temporarily <a href="https://prd-p-xxxxx.splunkcloud.com/en-US/services/collector/event">here</a>.</p></body></html>
Tried with /services/collector (no /event) but same result. Maybe the end point has changed?
I was bit confused by the documentation which had prefix's for the URL of input or http-inputs depending on whether I'm using self service or managed (I am using a managed trial service at the moment).
@transformddaveh
please read through my answer:
the reason for getting the error is you haven’t specified port number which is supposed to be 8088
Thank you that was what I was missing the second time around.
I am now getting the right response!! Thanks for your help.
great, you got solution, please accept my answer as solution, if you think that solves your problem.
The one he/she is using is not managed cloud instance.
https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
Splunk Enterprise and Self-service Splunk Cloud
curl -k https://hec.splunk.com:8088/services/collector/event -H "Authorization: Splunk B5A89CAD-D842-46CC-80A1-017F83D7CFB2" -d '{"event": "hello world"}'
hope you have created New token using settings - > Data Inputs -> HTTP event collector
you are getting error because you are using wrong URL. use the one splunk has provided.
for example : if they have provided URL prd-abcd.splunkcloud.com your curl statement would be
curl -k https://prd-abcd.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk yourtoken" -d '{"event": "hello world"}'
Note: replace yourtoken with token you get from you splunkcloud instance.
don't enable Indexer acknowledgement in HEC settings while testing it from curl. if it's enabled you may get an error like below:
{"text":"Data channel is missing" ,"code":10}
it worked like a charm!!
If you enable it then you must add that channel on those requests and also query those ack on your client. More information can found from:
https://docs.splunk.com/Documentation/Splunk/8.0.6/Data/AboutHECIDXAck
If it's mandatory that you don't lost event then you must use that, otherwise you could lost some events time by time. This can also leads you a situation where you have duplicate events!
r. Ismo