Splunk Enterprise

Why am I getting error "Data channel is missing" using HTTP Event Collector with Splunk Light?

Explorer

Hi,

I just downloaded and installed Splunk Light on-prem and I'm trying to use HTTP Event Collector walk-through ( http://dev.splunk.com/view/event-collector/SP-CAAAE7F) with postman/curl. I tried all kinds of sample data, but I get:

{
  "text": "Data channel is missing",
  "code": 10
}

from https://localhost:8088/services/collector/event endpoint. Please help?

Thanks
Voffka

Labels (1)
1 Solution

Splunk Employee
Splunk Employee

@otryshko based on the error my guess is you have enabled indexer acknowledgment on the token. If so, then you have to supply a channel. You can find this in our API docs. If you disable indexer acknowledgment for the token you won't need to supply channel.

View solution in original post

Splunk Employee
Splunk Employee

About channels and sending data
Sending events with indexer acknowledgment enabled is similar to sending them without the setting enabled. However, there is one crucial difference: specifying a channel.

The concept of a channel was introduced in HEC primarily to prevent a fast client from impeding the performance of a slow client. When you assign one channel per client, because channels are treated equally on the Splunk server, one client can't affect another.

You must include a matching channel identifier both when sending data to HEC in an HTTP request and when requesting acknowledgement that events contained in the request have been indexed. If you don't, you will receive the error message, "Data channel is missing." Each request that includes a token for which indexer acknowledgement has been enabled must include a channel identifier

inputs.conf (indexers acting as HEC receiver, customers also use HFs as HEC receivers)

inputs.conf   

[http]
disabled =0
              
[http://idx_cluster_token]
disabled = 0
index = main
indexes = main
token = b7223516-1d22-4a7g-b6b3-74adb44da5ff
useACK = 0

sample curl:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Senddata

if HEC receiver is not using indexer acknowledgement (useACK = 0):

curl -k -H "Authorization: Splunk b7223516-1d22-4a7g-b6b3-74adb44da5ff" https://hec.splunk.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}'

if HEC receiver is using indexer acknowledgement (useACK = 1) you must supply a channel identifier:

curl -k -H "Authorization: Splunk b7223516-1d22-4a7g-b6b3-74adb44da5ff" -H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77131" https://rplinux06.sv.splunk.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'

NOTE: if your HEC receiver is using indexer acknowledgement and you don't specify a Channel Identifier (ie: X-Splunk-Request-Channel) you will see an error like:
{"text":"Data channel is missing","code":10}

0 Karma

Splunk Employee
Splunk Employee

@otryshko based on the error my guess is you have enabled indexer acknowledgment on the token. If so, then you have to supply a channel. You can find this in our API docs. If you disable indexer acknowledgment for the token you won't need to supply channel.

View solution in original post

Engager

Thank you! I was beating my head against the wall. Don't know how this got turned on in my setup but it definitely stopped everything.

0 Karma

New Member

sos grande !

0 Karma

Explorer

@ gblock [Splunk], I was able to solve this issue by disabling the indexer acknowledgements in the HEC config. However I was wondering if you could help me to define the [client id] in the Splunk enterprise.
Appreciate your help in advance!

Thanks,
Arindam

0 Karma

Path Finder

This also worked for me!!! thanks a lot!

0 Karma

Path Finder

Where in the docs is this referenced?

0 Karma

Splunk Employee
Splunk Employee

@GeorgeStarkey, this is documented on our developer documentation site. The specific link in this case is http://dev.splunk.com/view/event-collector/SP-CAAAE8X#aboutchannels.

Explorer

@gblock - yes, it was the reason! Thank you for helping me out.

Splunk Employee
Splunk Employee

Awesome, glad that was it. This setting has thrown off a few folks. We probably need a better error message or something.

0 Karma

Splunk Employee
Splunk Employee

Hello Voffka,
Can you give example of curl request you are trying?

Also did you make sure that a HTTP Event collection is enabled and a new token is generated?

-D

Explorer

this is the curl code Postman generated for me:

curl -X POST -H "Authorization: Splunk 9969503D-2D88-4C80-A6BC-A7FBE14736C7" -H "Cache-Control: no-cache" -H "Postman-Token: bd0646b6-0193-a4f3-eadd-835a57376af6" -d '{
    "event": { "hello": "world" }
}' "https://localhost:8088/services/collector/event"
0 Karma

Splunk Employee
Splunk Employee

using the "curl" example in the docs i was able add an event to Splunk Light via the HTTP Event Collector.

curl -k  https://localhost:8088/services/collector/event -H "Authorization: Splunk " -d '{"event": "hello world"}
0 Karma

Explorer

Yes, I enabled event collection via global settings func. Below is the actual command line I run on windows:

curl -k -H "Authorization: Splunk 9969503D-2D88-4C80-A6BC-A7FBE14736C7" -d "{'event': { 'hello': 'world'}}" "https://localhost:8088/services/collector/event"

Have I misconfigured anything on the splunk side? I pretty much downloaded the light msi, ran it and followed the walk-through.

What are the conditions data channel could be reported as missing? I see this error text in splnkd.exe but googling for this error returns nothing.

0 Karma

Splunk Employee
Splunk Employee

Read my comment below. That error is likely because you enabled indexer acknowledgment on the token.