Hi,
The best way to check if the akamai logs are ingesting to Splunk or not is to run a curl command on your Splunk HF where HEC is enabled. This will indicate if HEC input is working correctly or not in first place.
Example:
curl -k http://splunkHFserver1:8088/services/collector/event -H "Authorization: Splunk xxxxxxxxxxxxxxxxxxxxxxxxxxx" -d '{"sourcetype": "akamai:cm:json", "event": "TEST-EVENT-1"}'
{"text":"Success","code":0}
You should see a success message with Error code 0.
if there are errors then check the SSL version used by Akamai and set cipherSuite setting accordingly in $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf
Check if the version used by Akamai CM is compatible with your Splunk Version or not.
Hope this info helps.
Thanks,
Sai Appali
... View more