Hi
I am following this documentation from GCP [1], which mentions to omit YOUR_SPLUNK_HEC_URL must not include the HEC endpoint path, for example, /services/collector
My question is more specifically related to this section [2], it mentions that format should be
<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>
which one would be the correct url, for eg
https://http-inputs.xxxx.splunkcloud.com:433
or
https://http-inputs-xxxx.splunkcloud.com:433
hey @danylan,
Please use the below format for streaming the logs via HEC.
https://http-inputs-hostname.splunkcloud.com
endpoint name would be services/collector/event or services/collector/raw.
Also the port name would be 443, i guess you made a typo to 433 below.
Thanks
433 was a typo, thanks. After changing with the hyphen it is still complaining about the url formation
Url format should match PROTOCOL://HOST:PORT]
When following the Splunk docs does it matter if we are on Splunk Cloud Platform or Splunk Enterprise? From the docs it seems the format is a bit different.
yes the format of the url changes on where you are sending the data either to splunk enterprise or splunk cloud.
Currently I am using splunk cloud and we curl from our sources using the below format.
curl -H "Authorization: Splunk <enter hec token>" https://http-inputs-stackname.splunkcloud.com/services/collector/event -d '{"sourcetype": "test", "index": "test", "event": {"message": "Hello world!"}}'
Hope this helps.
@Roy_9 , ty for reply, i appreciate.
I am seeing something different
I am on splunk cloud not on enterprise my token is e6a0b67b-e6d0-418f-a2cd-4493804c7c92
I only get a success with the following
curl -k -H "Authorization: Splunk e6a0b67b-e6d0-418f-a2cd-4493804c7c92" https://prd-p-gap0o.splunkcloud.com:8088/services/collector/event -d '{"sourcetype": "test", "index": "test", "event": {"message": "Hello world!"}}'
#i added -k to allow insecure connection but it does recognize the uri
When i try with http-inputs- it fails
Note: I am on a trial account by the way.
Ok @danylan got it, i remember there will be slight change in url for self service and managed service cloud, please have a look at the documentation.
Not sure about the below error, may be you need to open a fw connection from your machine to https://http-inputs-hostname.splunkcloud.com
If it is resolved, please accept the solution and appreciate you giving karma point.
Thanks
I believe it's with hyphen (see "where:" section in https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_...) where it says "
.