Getting Data In

HEC Token Authentication Failures

anil19
Engager

Dear Splunkers, 

If I could get an answer on how do I find which HEC token is causing authentication failures (num_of_auth_failures=1) from _introspection logs, will very much helpful.

I'm using below query to find the errors, but how do I pin point which is causing the issue?

index=_introspection component=TERM(HttpEventCollector) "data.series"=TERM(http_event_collector) (data.num_of_auth_failures=1 OR data.num_of_requests_to_disabled_token=1 OR data.num_of_requests_to_incorrect_url=1)

Thanks in Advance. 

Labels (2)
0 Karma

dkmcclory
Explorer

This is a really old post but I had the same problem.  A search query that appears to be helping me find these problems is:

index=_internal sourcetype=splunkd log_level=ERROR component=HttpInputDataHandler



The results are imperfect because they don't exactly match what's shown in the authentication failures, but in my case, it appears the errors are being caused by a source that is sending in blank/missing tokens.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...