On a Linux host I am testing our HEC IndexerAcknowledgement setup on our heavy forwarder and following the documentation example but I keep running into "invalid data format" errors. I am r...
I am trying to set up HEC for my indexer cluster (v8.0.7), with 2 indexers (and 3 search heads) managed by a master node. I read multiple docs and articles already, but I want to make sure I get s...
Hi Experts,
I configured HEC input, after that I run curl command using that token, it returns {"text":"Success","code":0} .
But no event comes into my INDEX.
Any suggestions on how to p...
...o enable HTTPEvent Collection on these indexers. I am referring documentation http://dev.splunk.com/view/event-collector/SP-CAAAE73 and it says,
Note: Using HTTPEventCollector in a distributed d...
Hello fellow Splunkers,
I need some help with HEC (HTTPEventCollector). The problem is that no events are appearing in any indexes. To simplify the issue I set up a test HEC config without SSL (http...
Hi,
I just downloaded and installed Splunk Light on-prem and I'm trying to use HTTPEventCollector walk-through ( http://dev.splunk.com/view/event-collector/SP-CAAAE7F) with postman/curl. I t...
We think that the HTTPEventCollector reaches directly the indexing queue when using the event end point. Meaning the props.conf that we place are being ignored. Is this right?
As I want to use the same HTTPeventcollector (HEC) token, can i add the new index=X and remove old index=Y? But, I don't want to lose the events on old index=Y. So, if i do that, the events on Index...
I have three stand alone indexers in a round robin and want them to accept HTTPevents via the HTTPEventCollector. How do I generate a token with the same value on all three?
I can see http_event_collector_metrics.log logs under
$SPLUNK_HOME/var/log/introspection/splunk/
But splunk says latest event received was 2 days ago. Whats going wrong in httpeventcollector...