Moving my instance from Splunk Enterprise on vmware to a docker container. It runs okay with the volumes I created but when I copy my /opt/splunk/etc contents from the old server to migrate it to the Docker Container I get this error. Splunk support is saying something is wrong with my docker-compose but I am able to build other containers with it no problem. I did find that status code 401 in the documentation for the HEC. I think it is a permission issue but have gone through the whole /opt/splunk/etc/auth file and it looks good. Any ideas?
TASK [splunk_standalone : Setup global HEC] ************************************
s01 | fatal: [localhost]: FAILED! => {
s01 | "cache_control": "private",
s01 | "changed": false,
s01 | "connection": "Close",
s01 | "content_length": "130",
s01 | "content_type": "text/xml; charset=UTF-8",
s01 | "date": "Wed, 03 Mar 2021 20:36:34 GMT",
s01 | "elapsed": 0,
s01 | "redirected": false,
s01 | "server": "Splunkd",
s01 | "status": 401,
s01 | "url": "https://127.0.0.1:8089/services/data/inputs/http/http",
s01 | "vary": "Cookie, Authorization",
s01 | "www_authenticate": "Basic realm=\"/splunk\"",
s01 | "x_content_type_options": "nosniff",
s01 | "x_frame_options": "SAMEORIGIN"
s01 | }
s01 |
s01 | MSG:
s01 |
s01 | Status code was 401 and not [200]: HTTP Error 401: Unauthorized