Here's a screenshot from when I had this working. You can see the code and the Splunk event on the other side.
https://www.dropbox.com/s/948pvvqkqser7s0/Lambda.png?dl=0
... View more
I created the original Eclipse example, so I know it can work as I had a working version which I passed off to our docs team. This is against a managed Splunk cloud instance yes?
... View more
Hi @micahhausler.
This is a known issue, it is due to the type of ECC cert that we have used for self-service Splunk Cloud. The Docker driver works fine for our managed cloud but not for self-service. There is a plan to fix this.
... View more
@joxley today this using something like nginx is the right way to do it, but a better way is coming shortly, stay tuned. Also another option is to use this node app which gives your a proxy. In terms of the payload, our newer raw endpoint is perfect for receiving the standard webhook payload. As you observed the auth header is still required today, but that will change.
... View more
One way is to send "host" in the request as you are doing here. Alternatively you can configure Splunk per token, so it will resolve the host based on the client that is sending. You do this in inputs.conf under the token stanza by setting the connection_host to "ip" or "dns". You can see the setting here
connection_host = [ip|dns|none]
* Specify the host if an event doesn't have host set.
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in the HTTP header.
... View more
@San55240, try removing "/services/collector/event" for the url, the logging library sets this. I noticed you did not set the port, is your HEC instance on port 80?
... View more
@bento_prod, also in terms of Docker, the driver won't work today with self-service due to our certs not having support in golang. It will work with managed cloud instances though. If you want to use the driver with self-service, you'll need to deploy a forwarder running HEC (like in AWS) and have it forward to the cloud instance. We know this is not an ideal experience for the driver with single instance, and are working on a better solution.
... View more
How did you create your token? Did you manually add a stanza to conf? If so which conf file, and can you show the stanza?
If you log into the Splunk UI and go to Settings->Data Inputs->HTTP Event Collector does your token show in the list?
... View more
@yeungdarea today HEC will not allow you to pass arbitrary metadata fields. There is something coming soon in HEC which will allow this and should ultimately make it to the Docker driver. For the Docker driver, the only option today is to add labels which will show up in the JSON as you observed, or you can explore extracting fields other ways.
... View more