Hi,
I just downloaded and installed Splunk Light on-prem and I'm trying to use HTTP Event Collector walk-through ( http://dev.splunk.com/view/event-collector/SP-CAAAE7F) with postman/curl. I tried all kinds of sample data, but I get:
{
"text": "Data channel is missing",
"code": 10
}
from https://localhost:8088/services/collector/event endpoint. Please help?
Thanks
Voffka
@otryshko based on the error my guess is you have enabled indexer acknowledgment on the token. If so, then you have to supply a channel. You can find this in our API docs. If you disable indexer acknowledgment for the token you won't need to supply channel.
About channels and sending data
Sending events with indexer acknowledgment enabled is similar to sending them without the setting enabled. However, there is one crucial difference: specifying a channel.
The concept of a channel was introduced in HEC primarily to prevent a fast client from impeding the performance of a slow client. When you assign one channel per client, because channels are treated equally on the Splunk server, one client can't affect another.
You must include a matching channel identifier both when sending data to HEC in an HTTP request and when requesting acknowledgement that events contained in the request have been indexed. If you don't, you will receive the error message, "Data channel is missing." Each request that includes a token for which indexer acknowledgement has been enabled must include a channel identifier
inputs.conf (indexers acting as HEC receiver, customers also use HFs as HEC receivers)
inputs.conf
[http]
disabled =0
[http://idx_cluster_token]
disabled = 0
index = main
indexes = main
token = b7223516-1d22-4a7g-b6b3-74adb44da5ff
useACK = 0
sample curl:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Senddata
if HEC receiver is not using indexer acknowledgement (useACK = 0):
curl -k -H "Authorization: Splunk b7223516-1d22-4a7g-b6b3-74adb44da5ff" https://hec.splunk.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}'
if HEC receiver is using indexer acknowledgement (useACK = 1) you must supply a channel identifier:
curl -k -H "Authorization: Splunk b7223516-1d22-4a7g-b6b3-74adb44da5ff" -H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77131" https://rplinux06.sv.splunk.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'
NOTE: if your HEC receiver is using indexer acknowledgement and you don't specify a Channel Identifier (ie: X-Splunk-Request-Channel) you will see an error like:
{"text":"Data channel is missing","code":10}
From About HTTP Event Collector Indexer Acknowledgment:
Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a Globally Unique Identifier (GUID) but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When Splunk Enterprise sees a new channel identifier, it creates a new channel.
One way to create unique GUIDs is with the Python module uuid. Here is an example of how to do that with a GUID constructed from the local machine's hostname:
export HEC_CHANNEL=$(python3 -c "import os, uuid; print(str(uuid.uuid3(uuid.NAMESPACE_DNS, os.uname()[1])))")
curl \
-k \
https://$HEC_HOST:8088/services/collector/event \
-H "Authorization: Splunk $HEC_TOKEN" \
-H "X-Splunk-Request-Channel: $HEC_CHANNEL" \
-d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'
Where can I get channel info ?
@otryshko based on the error my guess is you have enabled indexer acknowledgment on the token. If so, then you have to supply a channel. You can find this in our API docs. If you disable indexer acknowledgment for the token you won't need to supply channel.
Thank you! I was beating my head against the wall. Don't know how this got turned on in my setup but it definitely stopped everything.
sos grande !
@ gblock [Splunk], I was able to solve this issue by disabling the indexer acknowledgements in the HEC config. However I was wondering if you could help me to define the [client id] in the Splunk enterprise.
Appreciate your help in advance!
Thanks,
Arindam
This also worked for me!!! thanks a lot!
Where in the docs is this referenced?
@GeorgeStarkey, this is documented on our developer documentation site. The specific link in this case is http://dev.splunk.com/view/event-collector/SP-CAAAE8X#aboutchannels.
@gblock - yes, it was the reason! Thank you for helping me out.
Awesome, glad that was it. This setting has thrown off a few folks. We probably need a better error message or something.
Hello Voffka,
Can you give example of curl request you are trying?
Also did you make sure that a HTTP Event collection is enabled and a new token is generated?
-D
this is the curl code Postman generated for me:
curl -X POST -H "Authorization: Splunk 9969503D-2D88-4C80-A6BC-A7FBE14736C7" -H "Cache-Control: no-cache" -H "Postman-Token: bd0646b6-0193-a4f3-eadd-835a57376af6" -d '{
"event": { "hello": "world" }
}' "https://localhost:8088/services/collector/event"
using the "curl" example in the docs i was able add an event to Splunk Light via the HTTP Event Collector.
curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk " -d '{"event": "hello world"}
Yes, I enabled event collection via global settings func. Below is the actual command line I run on windows:
curl -k -H "Authorization: Splunk 9969503D-2D88-4C80-A6BC-A7FBE14736C7" -d "{'event': { 'hello': 'world'}}" "https://localhost:8088/services/collector/event"
Have I misconfigured anything on the splunk side? I pretty much downloaded the light msi, ran it and followed the walk-through.
What are the conditions data channel could be reported as missing? I see this error text in splnkd.exe but googling for this error returns nothing.
Read my comment below. That error is likely because you enabled indexer acknowledgment on the token.