Hi @edoardo_vicendo , thanks for the reply.

Yeah, no issue with the sending of data. Like you, we managed to crack it.
But the HEC that receives the data is also receiving from an appliance and a AWS Firehose, on two other input tokens. Using the Splunk search I sent, I'm able to see metrics for connections, bytes ingested and parsing errors for those two other tokens, but NONE from the token used by the UF using S2S over HTTP.

You are welcome.

I would try checking based on what is written here:

https://docs.splunk.com/Documentation/Splunk/latest/Data/TroubleshootHTTPEventCollector

In particular:

1- Check if HEC token is enabled (I guess so :-))

2- Verify if ACK is enabled

3- Look at the log file directly in the machine

$SPLUNK_HOME/var/log/introspection/splunk/http_event_collector_metrics.log

4- Run a more general query

index="_introspection" token

5- Enable logs in DEBUG

Hi @edoardo_vicendo ,

Do you still have your working setup?

Do you find that introspection logs from the HEC receiver instances report metrics for tokens used by "/services/collector/raw" and "/services/collector/event", but not "/services/collector/s2s" ?

index="_introspection" component=HttpEventCollector data.token_name=*

Dislike to reply to my own comment, but I got an answer from Splunk Support.

HTTP Event Collector does NOT log metrics from UF sending data over HTTP, and this is reported on internal ticket SPL-239230 : "No metrics are sent to the http_event_collector_metrics.log"  which has been in backlog since 2023.

@edoardo_vicendo we are facing the same issue, but I see the same error even after adding the proxy config under server.conf..

ERROR S2SOverHttpOutputProcessor - HTTP 502 Bad Gateway

here's my outputs.conf file..

[httpout]
httpEventCollectorToken = ###khldkhfkahl979797####
uri = https://10.x.x.x:443
batchSize = 32768
batchTimeout = 10

it's a network load balancer on AWS, are you using the same kind of load balancer.??

@prakash007 You posted this over a year ago but I'd like to know if you managed to solve this issue?
I've similar setup and getting HTTP 502 Bad Gateway

Hi @prakash007 

You probably don't need to declare the port in uri config, the 443 is the default one for https connection.

By the way, even with the correct configuration I posted previously we were getting an HTTP 502 Bad Gateway error. Our Use Case was to export some logs from an on premise Data Center to a third party Splunk installation hosted in AWS. The target was hosted in AWS, with a Load Balancer and a WAF in front but the modification were in charge to the third party admin, and as far as I know they did some modification in the WAF rules to avoid the HTTP 502.