Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query string method not working for HEC on Cloud

naiktej13
Engager
‎05-11-2017 03:00 AM

I have a splunk cloud stack which has HEC enabled on it and I am referring following page to send data via HEC:
http://dev.splunk.com/view/event-collector/SP-CAAAE7G

which have mentioned 3 ways:
1. HTTP Authentication
2. Basic authentication
3. Query string

Among them, 1 and 2 are working properly. But when I tried to send data via "Query string" it gives following Error:

{"text":"Query string authorization is not enabled","code":16}

The curl command I tried is as follow:
curl -k https://http-inputs-STACK_NAME.splunkcloud.com/services/collector/event?token=xxxxxxxx-xxxx-xxxx-xxx... -d '{"event": "hello world"}'

Any idea regarding How to enable the "Query string" in cloud stack?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hunters_splunk
Splunk Employee
Splunk Employee
‎05-11-2017 07:19 AM

Hi Naiktej13,

Seems that the allowQueryStringAuth has not been set to true in the HEC local stanza in your Cloud instance:
allowQueryStringAuth = [true|false]
For detailed information about his setting, see http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-_... .

Please contact your Cloud administrator to set allowQueryStringAuth to true to Enable sending authorization token with query string.

Hope it helps. Thanks!
Hunter

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hunters_splunk
Splunk Employee
Splunk Employee
‎05-11-2017 07:19 AM

Hi Naiktej13,

Seems that the allowQueryStringAuth has not been set to true in the HEC local stanza in your Cloud instance:
allowQueryStringAuth = [true|false]
For detailed information about his setting, see http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-_... .

Please contact your Cloud administrator to set allowQueryStringAuth to true to Enable sending authorization token with query string.

Hope it helps. Thanks!
Hunter

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...