Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk HEC token is not working

uagraw01
Builder
‎03-29-2024 11:27 AM

As per the below screenshot my server is not giving any health status of hec port 8088. Due to this I am not able to publish anything by using hec token in Splunk for an example :

curl -k "Authorization: Splunk ee6d8a90-4863-4789-9ff1-fda810bee6f2" http://walvau-vidi-1:8000/services/collector/event -d '{"event": "hello world"}'.


Please guide me what will issue, how I investigate further on this.

uagraw01_0-1711736562730.png

default inputs.conf :

[http]
disabled=1
port=8088
enableSSL=1
dedicatedIoThreads=2
maxThreads = 0
maxSockets = 0
useDeploymentServer=0
# ssl settings are similar to mgmt server
sslVersions=*,-ssl2
allowSslCompression=true
allowSslRenegotiation=true
ackIdleCleanup=true


local inputs.conf:

[http]
disabled = 0
enableSSL = 0
Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2024 01:11 AM

The usual debugging steps apply:

1) Check if the receiving side is listening on the port (use netstat to list open ports and verify if 8088 is among them).

2) Check the network connectivity from the client

3) Verify firewall rules

4) If needed, run tcpdump/wireshark on the server and see if any traffic from the client is reaching the server at all.

When you can connect to your HEC service port you can start debugging the token settings.

Reply

uagraw01
Builder
‎03-30-2024 02:31 AM

@PickleRick @marnall After further investigation I found that the tcp port 8088 is being used under another app . I removed the config from there and now all are working fine.

Issued screenshot:

uagraw01_0-1711790925217.png

Resolved screenshot:

uagraw01_1-1711790993298.png

Thanks both of your support and suggestions.

0 Karma
Reply

marnall
Builder
‎03-29-2024 02:50 PM

I would not recommend posting valid authorization tokens on the internet, as unscrupulous people or bots could abuse them.

Could you try curl-ing the collector health endpoint using HTTPS instead of http?

If it still does not give a response, it might be a firewall issue. Try connecting to the machine itself using ssh and then doing a curl on localhost, like this:

curl -k https://127.0.0.1:8088/services/collector/health

 

Reply

uagraw01
Builder
‎03-29-2024 07:45 PM

@marnall For your information I already tried with https before posting this to Splunk answers and for your information on windows server is using telnet instead to SSH. 

Can you please help me to understand the significance why you suggested https ? Because on other server posted command is working fine with “http”

Please provide your more suggestion on this.

0 Karma
Reply

marnall
Builder
‎03-29-2024 11:48 PM

Depending on how your server is configured, it may reject http connections. Are you able to connect to the collector health endpoint on 127.0.0.1 by connecting to the server via telnet and sending the request to localhost?

Reply

uagraw01
Builder
‎03-29-2024 11:54 PM

@marnall I have opened inbound port also 8088 also so I think firewall related issue also not be the concern now. 

0 Karma
Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...