Re: Unable to connect to Splunk Cloud trial instan...

msilva · ‎12-21-2022

Good evening,

We are currently unable to connect to the following Splunk Cloud trial instance which shall expire next December 29th. Could you please investigate this issue?

15:51 $ curl -k -H "Authorization: Splunk a19b174b-9x9x-4e02-a83f-9999999999999" -v -d '{"index": "moacir-splunk-cloud-siem", "event": "blah blah blah","sourcetype": "_json" }' https://prd-p-ojiyn.splunkcloud.com:8088/services/collector/event
*   Trying 3.93.228.43:8088...
* TCP_NODELAY set
* connect to 3.93.228.43 port 8088 failed: Connection timed out
* Failed to connect to prd-p-ojiyn.splunkcloud.com port 8088: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to prd-p-ojiyn.splunkcloud.com port 8088: Connection timed out

Warm regards,

Moacir

msilva · ‎12-21-2022

2 previous trial cloud instances were used a few months ago, and everything was working fine without any change on our side. It could be there is an issue with the current instance, so we will wait for it to expire and request a new one.

Kind regards,

Moacir

richgalloway · ‎12-21-2022

Sending data to HEC endpoints in Splunk Cloud requires adding "http-inputs-" or "http-inputs." to the URL. See https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_E...

BTW, we are all fellow community members here so none of us can investigate the issues others are having. We can only make suggestions.

PS - I masked the token in the OP for security.

---
If this reply helps you, Karma would be appreciated.

msilva · ‎12-21-2022

Hi,

We have followed your suggestion but unfortunately the issue is still happening:

curl -k -H "Authorization: Splunk a19b174b-3e6a-4e02-a83f-999999999999" -v -d '{"index": "moacir-splunk-cloud-siem", "event": "blah blah blah","sourcetype": "_json" }' https://http-inputs.prd-p-ojiyn.splunkcloud.com:8088/services/collector/event
* Could not resolve host: http-inputs.prd-p-ojiyn.splunkcloud.com
* Closing connection 0
curl: (6) Could not resolve host: http-inputs.prd-p-ojiyn.splunkcloud.com


curl -k -H "Authorization: Splunk a19b174b-3e6a-4e02-a83f-999999999999" -v -d '{"index": "moacir-splunk-cloud-siem", "event": "blah blah blah","sourcetype": "_json" }' https://http-inputs-prd-p-ojiyn.splunkcloud.com:8088/services/collector/event
* Could not resolve host: http-inputs-prd-p-ojiyn.splunkcloud.com
* Closing connection 0
curl: (6) Could not resolve host: http-inputs-prd-p-ojiyn.splunkcloud.com

Also, so far this prefix was not needed since the sending was working well with a previous test instance... Maybe you could retry on your side using the original token?

Warm regards,

Moacir

richgalloway · ‎12-21-2022

The choice of which prefix to use is not yours to make - it's determined by the platform on which your stack is hosted. Regardless, it appears the original URL (without prefix) works better in that it at least can be resolved. The timeout message could be caused by a firewall discarding the connection attempts. Have you checked your firewalls?

The original token no longer is available. Even if it was, I would not access someone else's system.

---
If this reply helps you, Karma would be appreciated.

msilva · ‎12-21-2022

2 previous trial cloud instances were used a few months ago, and everything was working fine without any change on our side. It could be there is an issue with the current instance, so we will wait for it to expire and request a new one.

Kind regards,

Moacir

Unable to connect to Splunk Cloud trial instance?

Splunk Investigate

troubleshooting

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas