Splunk Search

Sending Logs to splunk from logstash

ragmenion
New Member

Hi i am trying to send logs to splunk with HEC using logstash, but configuration is not working. A curl from the server is working but logs arent going through logstaash.

curl -k "https://splunk-hec.test.com:443/services/collector/raw?" \
-H "Authorization: Splunk XXXX" \
-d '{"event": "Hello!", "sourceType": "Test"}'

Logstash output config

http {
http_method => "post"
url => "https://splunk-hec.test.com:443/services/collector/event/1.0"
headers => ['Authorization', 'Splunk XXXXX']
mapping => {
"sourcetype" => "logstash"
}
}

Error

[HTTP Output Failure] Could not fetch URL {:url=>"https//splunk-hec.test.com:443/services/collector/event/1.0", :method=>:post, :body=>"{\"sourcetype\":\"logstash\"}", :headers=>{"Authorization"=>"Splunk XXX", :message=>"connect timed out",

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Timeouts most commonly are caused by lack of network connectivity, e.g. a firewall dropping your connection.
Assuming you did the curl test on a different machine, run the curl test on the machine that runs fails with logstash, and if curl fails there too then talk to your network team.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...