Splunk Enterprise

Why am I getting error "Data channel is missing" using HTTP Event Collector with Splunk Light?

otryshko
Explorer

Hi,

I just downloaded and installed Splunk Light on-prem and I'm trying to use HTTP Event Collector walk-through ( http://dev.splunk.com/view/event-collector/SP-CAAAE7F) with postman/curl. I tried all kinds of sample data, but I get:

{
  "text": "Data channel is missing",
  "code": 10
}

from https://localhost:8088/services/collector/event endpoint. Please help?

Thanks
Voffka

Labels (1)
1 Solution

gblock_splunk
Splunk Employee
Splunk Employee

@otryshko based on the error my guess is you have enabled indexer acknowledgment on the token. If so, then you have to supply a channel. You can find this in our API docs. If you disable indexer acknowledgment for the token you won't need to supply channel.

View solution in original post

rphillips_splk
Splunk Employee
Splunk Employee

About channels and sending data
Sending events with indexer acknowledgment enabled is similar to sending them without the setting enabled. However, there is one crucial difference: specifying a channel.

The concept of a channel was introduced in HEC primarily to prevent a fast client from impeding the performance of a slow client. When you assign one channel per client, because channels are treated equally on the Splunk server, one client can't affect another.

You must include a matching channel identifier both when sending data to HEC in an HTTP request and when requesting acknowledgement that events contained in the request have been indexed. If you don't, you will receive the error message, "Data channel is missing." Each request that includes a token for which indexer acknowledgement has been enabled must include a channel identifier

inputs.conf (indexers acting as HEC receiver, customers also use HFs as HEC receivers)

inputs.conf   

[http]
disabled =0
              
[http://idx_cluster_token]
disabled = 0
index = main
indexes = main
token = b7223516-1d22-4a7g-b6b3-74adb44da5ff
useACK = 0

sample curl:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Senddata

if HEC receiver is not using indexer acknowledgement (useACK = 0):

curl -k -H "Authorization: Splunk b7223516-1d22-4a7g-b6b3-74adb44da5ff" https://hec.splunk.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}'

if HEC receiver is using indexer acknowledgement (useACK = 1) you must supply a channel identifier:

curl -k -H "Authorization: Splunk b7223516-1d22-4a7g-b6b3-74adb44da5ff" -H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77131" https://rplinux06.sv.splunk.com:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'

NOTE: if your HEC receiver is using indexer acknowledgement and you don't specify a Channel Identifier (ie: X-Splunk-Request-Channel) you will see an error like:
{"text":"Data channel is missing","code":10}

scentoni_splunk
Splunk Employee
Splunk Employee

From About HTTP Event Collector Indexer Acknowledgment:

Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a Globally Unique Identifier (GUID) but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When Splunk Enterprise sees a new channel identifier, it creates a new channel. 

One way to create unique GUIDs is with the Python module uuid. Here is an example of how to do that with a GUID constructed from the local machine's hostname:

export HEC_CHANNEL=$(python3 -c "import os, uuid; print(str(uuid.uuid3(uuid.NAMESPACE_DNS, os.uname()[1])))")
curl \
-k \
https://$HEC_HOST:8088/services/collector/event \
-H "Authorization: Splunk $HEC_TOKEN" \
-H "X-Splunk-Request-Channel: $HEC_CHANNEL" \
-d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'

 

0 Karma

patelmc
Explorer

Where can I get channel info ?

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

@otryshko based on the error my guess is you have enabled indexer acknowledgment on the token. If so, then you have to supply a channel. You can find this in our API docs. If you disable indexer acknowledgment for the token you won't need to supply channel.

dwilliams03
Engager

Thank you! I was beating my head against the wall. Don't know how this got turned on in my setup but it definitely stopped everything.

0 Karma

edquijano
New Member

sos grande !

0 Karma

arindamlaha
Explorer

@ gblock [Splunk], I was able to solve this issue by disabling the indexer acknowledgements in the HEC config. However I was wondering if you could help me to define the [client id] in the Splunk enterprise.
Appreciate your help in advance!

Thanks,
Arindam

0 Karma

marcellodesales
Path Finder

This also worked for me!!! thanks a lot!

0 Karma

GeorgeStarkey
Path Finder

Where in the docs is this referenced?

0 Karma

andrewb_splunk
Splunk Employee
Splunk Employee

@GeorgeStarkey, this is documented on our developer documentation site. The specific link in this case is http://dev.splunk.com/view/event-collector/SP-CAAAE8X#aboutchannels.

otryshko
Explorer

@gblock - yes, it was the reason! Thank you for helping me out.

gblock_splunk
Splunk Employee
Splunk Employee

Awesome, glad that was it. This setting has thrown off a few folks. We probably need a better error message or something.

0 Karma

dkoshe_splunk
Splunk Employee
Splunk Employee

Hello Voffka,
Can you give example of curl request you are trying?

Also did you make sure that a HTTP Event collection is enabled and a new token is generated?

-D

otryshko
Explorer

this is the curl code Postman generated for me:

curl -X POST -H "Authorization: Splunk 9969503D-2D88-4C80-A6BC-A7FBE14736C7" -H "Cache-Control: no-cache" -H "Postman-Token: bd0646b6-0193-a4f3-eadd-835a57376af6" -d '{
    "event": { "hello": "world" }
}' "https://localhost:8088/services/collector/event"
0 Karma

jterry
Splunk Employee
Splunk Employee

using the "curl" example in the docs i was able add an event to Splunk Light via the HTTP Event Collector.

curl -k  https://localhost:8088/services/collector/event -H "Authorization: Splunk " -d '{"event": "hello world"}
0 Karma

otryshko
Explorer

Yes, I enabled event collection via global settings func. Below is the actual command line I run on windows:

curl -k -H "Authorization: Splunk 9969503D-2D88-4C80-A6BC-A7FBE14736C7" -d "{'event': { 'hello': 'world'}}" "https://localhost:8088/services/collector/event"

Have I misconfigured anything on the splunk side? I pretty much downloaded the light msi, ran it and followed the walk-through.

What are the conditions data channel could be reported as missing? I see this error text in splnkd.exe but googling for this error returns nothing.

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Read my comment below. That error is likely because you enabled indexer acknowledgment on the token.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...