Splunk Enterprise

HTTP Event collector rejecting test events

morphis72
Loves-to-Learn Lots

I am trying to configure the HTTP Event Collector in my lab so that I can do some testing around data queuing but I'm hitting an odd problem. 

My setup is a Heavy Forwarder that is configured to send to a small cluster of indexers. I can see in the logs where it is making good connections to all of them.

When I configured my tokens to test with my test events are being rejected.

From another server I issue the following command:

curl -k "http://<myip>:8088/services/collector" -H "Authorization: Splunk dded8e66-57f2-44e9-b4a4-42bf231a2e7e" -d '{"event": "Hello, world!", "sourcetype": "manual"}'

I get the following response on the issuing server:

curl: (52) Empty reply from server

And this is what shows up in my splunkd log on my HEC server

04-05-2021 14:36:05.026 -0400 ERROR TcpInputProc - Message rejected. Received unexpected message of size=1347375956 bytes from src=<myip>:46804 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

I can't imagine my message is really that size. Anyone got an idea what is going on here?

Labels (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!