Splunk Cloud Platform

Can't resolve hostname for HTTP Event Collector

transformddaveh
Explorer

Hi, 

I'm very new to splunk and have signed up for a trial account and am looking to connect with HTTP Event Collector using simple Curl commands.

Following the docs here : https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Data/UsetheHTTPEventCollector

I've set up my new token using the default configuration. I'm certain I'm using the managed service as I don't have any access to global settings.

According to the above docs to make calls using curl the endpoint is <protocol>://http-inputs-<host>:<port>/<endpoint> however I can't get anything other than curl: (6) Could not resolve host: http-inputs-<hostname>.splunkcloud.com

Do I need to enable something in my account so this host becomes available?
I'm using my login URL (from the screenshot below) as the hostname. That is correct yes?
Screenshot from 2020-09-07 15-05-39.png

Labels (1)
0 Karma
1 Solution

thambisetty
Super Champion

https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

Splunk Enterprise and Self-service Splunk Cloud

curl -k https://hec.splunk.com:8088/services/collector/event -H "Authorization: Splunk B5A89CAD-D842-46CC-80A1-017F83D7CFB2" -d '{"event": "hello world"}'

hope you have created New token using settings - > Data Inputs -> HTTP event collector

hec.png

you are getting error because you are using wrong URL. use the one splunk has provided. 

for example : if they have provided URL prd-abcd.splunkcloud.com your curl statement would be 

curl -k https://prd-abcd.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk yourtoken" -d '{"event": "hello world"}'

Note: replace yourtoken with token you get from you splunkcloud instance.

don't enable Indexer acknowledgement in HEC settings while testing it from curl. if it's enabled you may get an error like below:

{"text":"Data channel is missing" ,"code":10}

 

————————————
If this helps, give a like below.

View solution in original post

cruizba
Loves-to-Learn Everything

But this url is not working for docker using de logs driver. That's because the certificate used in  https://prd-abcd.splunkcloud.com:8088 is not the same used in port 443 and the valid one in https://prd-abcd.splunkcloud.com

This leads to a problem running the docker driver like this one:

ERROR: for <service-name>  Cannot start service <service-name>: failed to initialize logging driver: Options https://prd-p-xxxxx.splunkcloud.com:8088/services/collector/event/1.0: x509: certificate is valid for SplunkServerDefaultCert, not prd-p-xxxxx.splunkcloud.com
0 Karma

transformddaveh
Explorer

Thanks for the help guys. Feels like I'm getting closer as no longer getting host not resolve but still getting this as a return:

<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta http-equiv="refresh" content="1;url=https://prd-p-xxxxx.splunkcloud.com/en-US/services/collector/event"><title>303 See Other</title></head><body><h1>See Other</h1><p>The resource has moved temporarily <a href="https://prd-p-xxxxx.splunkcloud.com/en-US/services/collector/event">here</a>.</p></body></html>

Tried with /services/collector (no /event) but same result. Maybe the end point has changed? 

I was bit confused by the documentation which had prefix's for the URL of input or http-inputs depending on whether I'm using self service or managed (I am using a managed trial service at the moment).

0 Karma

thambisetty
Super Champion

@transformddaveh 
please read through my answer:

the reason for getting the error is you haven’t specified port number which is supposed to be 8088

————————————
If this helps, give a like below.

transformddaveh
Explorer

Thank you that was what I was missing the second time around.

I am now getting the right response!! Thanks for your help.

0 Karma

thambisetty
Super Champion

great, you got solution, please accept my answer as solution, if you think that solves your problem.

————————————
If this helps, give a like below.

isoutamo
SplunkTrust
SplunkTrust
In managed cloud environment this is 443, which don’t need to add to url. https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/UsetheHTTPEventCollector
0 Karma

thambisetty
Super Champion

The one he/she is using is not managed cloud instance.

————————————
If this helps, give a like below.
0 Karma

thambisetty
Super Champion

https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

Splunk Enterprise and Self-service Splunk Cloud

curl -k https://hec.splunk.com:8088/services/collector/event -H "Authorization: Splunk B5A89CAD-D842-46CC-80A1-017F83D7CFB2" -d '{"event": "hello world"}'

hope you have created New token using settings - > Data Inputs -> HTTP event collector

hec.png

you are getting error because you are using wrong URL. use the one splunk has provided. 

for example : if they have provided URL prd-abcd.splunkcloud.com your curl statement would be 

curl -k https://prd-abcd.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk yourtoken" -d '{"event": "hello world"}'

Note: replace yourtoken with token you get from you splunkcloud instance.

don't enable Indexer acknowledgement in HEC settings while testing it from curl. if it's enabled you may get an error like below:

{"text":"Data channel is missing" ,"code":10}

 

————————————
If this helps, give a like below.

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

If you enable it then you must add that channel on those requests and also query those ack on your client. More information can found from:
https://docs.splunk.com/Documentation/Splunk/8.0.6/Data/AboutHECIDXAck


If it's mandatory that you don't lost event then you must use that, otherwise you could lost some events time by time. This can also leads you a situation where you have duplicate events!

r. Ismo

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!