Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector- Is there something wrong with this curl command?

splunkerhtml
Loves-to-Learn
‎12-15-2023 07:19 AM

hI

Currently trying to test an HTTP event collector token by directly sending events to the cloud before we use the HEC for a OpenTelemetry Connector, but we are getting stuck at 403 Forbidden error. Is there something wrong with this curl command? 

Not sure if it affects anything but we are still on the Splunk Cloud Classic

Screenshots attached, appreciate any help we can get!&.PNG

0 Karma
Reply

splunkerhtml
Loves-to-Learn
‎12-18-2023 05:02 AM

Hello, I tested my curl is now working but I always get this error with Mulesoft HEC

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-15-2023 01:59 PM

For those who like to learn the different error codes and their details:

Possible error codes

The following status codes have particular meaning for all HTTP Event Collector endpoints:

Status code HTTP status code ID HTTP status code Status message

0200OKSuccess
1403ForbiddenToken disabled
2401UnauthorizedToken is required
3401UnauthorizedInvalid authorization
4403ForbiddenInvalid token
5400Bad RequestNo data
6400Bad RequestInvalid data format
7400Bad RequestIncorrect index
8500Internal ErrorInternal server error
9503Service UnavailableServer is busy
10400Bad RequestData channel is missing
11400Bad RequestInvalid data channel
12400Bad RequestEvent field is required
13400Bad RequestEvent field cannot be blank
14400Bad RequestACK is disabled
15400Bad RequestError in handling indexed fields
16400Bad RequestQuery string authorization is not enabled

 

more info on HEC troubleshooting:

https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/TroubleshootHTTPEventCollector

 

thanks, have a great day! 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2023 11:38 AM

Error 403 means the token is incorrect or disabled.  Check that the curl command has the right token.

---
If this reply helps you, Karma would be appreciated.
Reply

splunkerhtml
Loves-to-Learn
‎12-18-2023 12:42 AM

splunkerhtml_0-1702888942331.png

Is this perhaps due to some configuration here, no?

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2023 02:42 AM

Might be. I'm not very strong on Cloud.

0 Karma
Reply

splunkerhtml
Loves-to-Learn
‎12-18-2023 12:11 AM

My token is valid, I tried with 2 differents token created 😞

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-18-2023 04:00 PM

Hi @splunkerhtml, may i know, after creating the token, did you do copy-paste ?!?!
after pasting, maybe, thee is a chance that, you included a space and entered ?!?! (many times many of my friends faced this issue!)
just double check the token created and copy pasted, then update us, thanks. 

or, is this a production project?.. then you may contact Splunk Cloud Support. they should be able to help you. 


Upvotes / karma points are appreciated by everybody, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2023 12:37 AM

Well, your HEC input disagrees with you.

If your data was wrong you'd get a different code (typically a round 400).

403 means that your token doesn't match the allowed tokens.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Top