Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to see the log data in indexer read by HTTP Event Collector post reinstallation of Splunk package

santosh_hb
Explorer
‎06-17-2019 03:54 AM

Hi All,

Need a quick help on the below issue.

  • We had configured HTTP Event Collector to read Netflow logs on port 8088 on Splunk HF. (Splunk version was 7.2.1)
  • Token was generated and it was added on External Logger and was authenticated to connect to Splunk HF.
  • Now, for some reason we have stopped the Splunk on HF and reinstalled Splunk 7.1.6 on the same HF.
  • HTTP Event Collector configs are copied from previous configurations along with Token value.
  • Now, the data has stopped flowing into Indexer post this change.
  • Tried to check all the HTTP EVent Collector debug techniques but unable to understand the issue.
  • I even can't see any errors in internal logs coming from HF

I doubt the issue might be with Token that was created earlier. Do I need to recreate the HTTP token and reconfigure it.

Awaiting for your help.
regards,
Santosh

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎06-17-2019 06:01 AM

@santosh_hb,

Yes, each token has a unique value, which is a 128-bit number that is represented as a 32-character globally unique identifier (GUID). You have to create new token after enabling HEC as described in Configure HTTP Event Collector on Splunk Enterprise in the new installation.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-17-2019 05:59 AM

@santosh_hb,
Check below configuration if all looks good then re-create the token and use that. (As you have changed Splunk version re-creation of token is probably require)

  • In Global Settings > All Tokens is enabled.
  • Port is 8088 only.
  • Enable SSL is set to proper value that you are using on sender side.
  • Your token is enabled.

Hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...