Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kpwaterson
kpwaterson
Explorer
Member since:
11-05-2021
03-28-2023
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 11-05-2021 |
Activity Feed
- Posted Re: How to display of UTF-8 characters? on Splunk Cloud Platform. 03-27-2023 05:54 AM
- Posted Re: Display of UTF-8 characters on Splunk Cloud Platform. 03-27-2023 05:53 AM
- Posted Re: Display of UTF-8 characters on Splunk Cloud Platform. 03-24-2023 09:29 AM
- Posted How to display of UTF-8 characters? on Splunk Cloud Platform. 03-24-2023 08:25 AM
- Karma Re: HEC Basic Authentication for PickleRick. 11-23-2021 12:00 PM
- Karma Re: HEC Basic Authentication for richgalloway. 11-23-2021 11:59 AM
- Posted HTTP/2 HEC on Getting Data In. 11-18-2021 12:53 PM
- Posted HEC Basic Authentication on Getting Data In. 11-18-2021 08:28 AM
- Posted Re: HTTP data input on Getting Data In. 11-08-2021 10:28 AM
- Posted HTTP data input on Getting Data In. 11-05-2021 02:02 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-27-2023
05:54 AM
Thanks, this was a misread of the RFC on my part. I appreciate the help.
... View more
03-24-2023
09:29 AM
It's sending an HTTP format message to an HEC whose default source type is also set to _json. Here is a dump of the request: POST /services/collector/event?host=myhost&source=KEN-STUFF&sourcetype=_json&index=galaxy&channel=FE0ECFAD-13D5-401B-847D-77833BD77131 HTTP/1.1 Host: <target URL> User-Agent: XYGATEMA Connection: keep-alive Content-Type: application/json Authorization: Splunk <HEC token> Content-Length: 1073 {"TIME":"2023-03-24 07:56:55.707","AUDIT": {"RECORDGMT":"2023-03-24:14:56:55.707636","GMTSEQNO":null,"RECORDLCT":"2023-03-24:07:56:55.707636","RECORDAUDITKEY":"","RECORDSESSIONKEY":"","SEQNO":null,"OUTCOME":4,"WARNINGMODE":"N","TESTMODE":"N","SEVERITY":"1","ALERTED":"A","PRODUCTCODE":"EMS","SUBJECT_USERNUMBER_MAJOR":null,"SUBJECT_USERNUMBER_MINOR":null,"TARGET_USERNUMBER_MAJOR":null,"TARGET_USERNUMBER_MINOR":null,"SUBJECTLOGIN":"","SUBJECTSYSTEM":"\\GALAXY","TARGETLOGIN":"","OBJECTTYPE":"COMFORTE.1.B00","OBJECTNAME":"","OPERATION":"EMS-EVENT","TERMINAL":"","MESSAGEID":2135,"MESSAGECODE":null,"RULENAME":"","USER_DATA":"REST alert","RESULT":"07:56 24MAR23 200,00,1268 Character test: 0242 (\\u00f2): >\uC3B2<"},"SESSION": {"RECORDSESSIONKEY":"","RECORDINSTALLKEY":"","SESSIONID":"\\GALAXY.$X98B:51790513","FOUNDSESSIONSTART":"N","FOUNDSESSIONEND":"N","SESSIONNAME":"","PROCESSTHREADID":"\\GALAXY.$X98B:51790513","PROCESSTHREADID2":"\\200.0,1268","CLIENTPROGRAM":"$Unknown.unknown.unknown","ANCESTORPROCESSTHREADID":"","IPADDRV46":"","DNSNAME":"","CLIENTCURRDIR":""}}
... View more
03-24-2023
08:25 AM
We are populating Splunk using an HEC connection with a source type of _json, set to the default character set of UTF-8. However, a field shown in the raw data as: "Character test: 0242 (\\u00f2): >\uC3B2<" is displayed as: Character test: 0242 (\u00f2): >쎲< I would have expected the display to show the character, ò, which is the UTF-8 equivalent of hexadecimal C3B2, rather than the displayed UNICODE character
... View more
Labels
- Labels:
-
using Splunk Cloud
11-18-2021
12:53 PM
Are there any plans to support HTTP/2 for HEC inputs?
... View more
Labels
- Labels:
-
HTTP Event Collector
11-18-2021
08:28 AM
I am attempting to use an HEC with basic authentication via HTTPS, but receiving a response 403 "Forbidden" when using the authorization header as Base64 encoded username:password pair. The username:HEC token works as is hinted in the documentation, so my question is whether there is any way to use a user's password for authentication, or a session key from a login request, when posting data to an HEC. If not, are there any endpoints that will return a response on an HTTP request? Thanks in advance for any advice you can give.
... View more
Labels
- Labels:
-
HTTP Event Collector
11-08-2021
10:28 AM
Thanks. FYI, the authorization header token is ignored, it doesn't matter whether it is included or not, but the issue was resolved by not using JSON. Also, including the Accept header does not change the format of the response - do you know if this is always XML?
... View more
11-05-2021
02:02 PM
I'm trying to post REST data via HTTP to splunk. This works when using a pre-generated token to an HEC: POST /services/collector/event HTTP/1.0\r\nHost: galaxy.xypro.com\r\nContent-Type: application/json\r\nKeep-Alive: 100\r\nConnection: keep-alive\r\nAuthorization: Splunk 1d07454b-d9ef-41b0-9450-59d8670a78c7\r\nContent-Length: 166\r\n\r\n{\"time\": 1636117458, \"host\": \"galaxy.xypro.com\", \"source\": \"test\", \"event\": { \"message\": \"2021-11-05:13:04:18.491986: Logging test message #0\", \"severity\": \"INFO\" } } HTTP/1.1 200 OK\r\nDate: Fri, 05 Nov 2021 20:05:17 GMT\r\nContent-Type: application/json; charset=UTF-8\r\nX-Content-Type-Options: nosniff\r\nContent-Length: 27\r\nVary: Authorization\r\nConnection: Keep-Alive\r\nX-Frame-Options: SAMEORIGIN\r\nServer: Splunkd\r\n\r\n{\"text\":\"Success\",\"code\":0} However, when I try to generate a session token to allow basic authorization, I see the following response, even though the user and password are correct: POST HTTPS://localhost:8089/services/auth/login HTTP/1.0\r\nHost: galaxy.xypro.com\r\nContent-Type: application/json\r\nKeep-Alive: 100\r\nConnection: keep-alive\r\nAuthorization: Basic a3B3YXRlcnNvbjpUZXN0MTIzNDU=\r\nContent-Length: 48\r\n\r\n{\"username\":\"kpwaterson\",\"password\":\"Test12345\"} HTTP/1.1 400 Bad Request\r\nDate: Fri, 05 Nov 2021 19:57:40 GMT\r\nExpires: Thu, 26 Oct 1978 00:00:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0\r\nContent-Type: text/xml; charset=UTF-8\r\nX-Content-Type-Options: nosniff\r\nContent-Length: 129\r\nConnection: Keep-Alive\r\nX-Frame-Options: SAMEORIGIN\r\nServer: Splunkd\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<response>\n <messages>\n <msg type=\"WARN\">Login failed</msg>\n </messages>\n</response>\n I was also investigating using receivers\simple for http messages. Although the message is posted to splunk, a response is never received. POST /services/receivers/simple?source=NonStop&index=main&sourcetype=json_no_timestamp HTTP/1.0\r\nHost: galaxy.xypro.com\r\nContent-Type: application/json\r\nKeep-Alive: 100\r\nConnection: keep-alive\r\nAuthorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc3MiOiJrZW4ud2F0ZXJzb24gZnJvbSBWTS1ERVYtU1BMVU5LIiwic3ViIjoia2VuLndhdGVyc29uIiwiYXVkIjoiRGV2ZWxvcG1lbnQiLCJpZHAiOiJMREFQOi8vbWZhIiwianRpIjoiODUzMDYyZmFhZjA0NWY0Y2JlMWEyNGMxZWE3NTAyYjRmMjEwMGEyNzE0NzA1N2Q0MmUxOGVkYWRlMTYyZTlkZiIsImlhdCI6MTYzMzUyNTE5MywiZXhwIjoxNjM2MTE3MTkzLCJuYnIiOjE2MzM1MjUxOTN9.3TKSCeK52awMJDxNzfvfW4PNewsGVlKkFXSf0Vy1Dv7JH4DNH9Ogn_w5WZLkZkeNXmjJqU8opORXW7DjxA2eag\r\nContent-Length: 166\r\n\r\n{\"time\": 1636117714, \"host\":\"galaxy.xypro.com\", \"source\": \"test\", \"event\": { \"message\": \"2021-11-05:13:08:34.900042: Logging test message #0\", \"severity\": \"INFO\" } } Could you please let me know what may be the issue with generating the session key and why a response is not received from receivers/simple? Thanks.
... View more
Labels
- Labels:
-
HTTP Event Collector
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-28-2023
11:22 AM
|
