Hi there,
Can someone please point me in the right direction? Thanks a lot.
I have tried setting up two different Splunk 6.3.1 servers (Windows and Linux) and have been unsuccessful in getting the Splunk Http Event Collector service to respond to any requests I send to either of them.
After initial tests from my application failed, I used the Chrome Postman plugin to send some basic tests, which failed for the same reason, The requested URL was not found on this server.
Here is a sample:
http://10.0.0.148:8088/services/collector -H 'Authorization: Splunk 76805875-741A-40EA-920E-F7BB1EAA6CBE' -d '{"event":"Hello, World!"}'
To clarify, I've verified that the IP address / port and protocol is correct, I have a valid token and Splunk EC is enabled in Global Settings.
But no matter "where" I send this POST, I get the same error message back. I'm starting to think that the path in the Splunk documentation might be wrong? (I tried a few variations after the :8088/ but to no avail)
I'm bound to port 8088 and I can see this active if I do a netstat -an
so all-in-all it looks like I have a service listening, I just don't know where to send the request to get it to the Splunk EC endpoint.
Any thoughts would be gratefully received.
Thanks
James
This post is the first search result on google, so I'm reviving it. I kept getting this error when making a curl command from the box itself:
root@splunk:/opt/splunk/bin# curl http://localhost:8088/services/collector/event/ -H "Authorization: Splunk $TOKEN" -d '{
"event": { "stuff": "value" } }'
{"text":"The requested URL was not found on this server.","code":404}
Well, after reading ALL the posts, I tracked it down to the extra "/" on the end, so this works:
root@splunk:/opt/splunk/bin# curl http://localhost:8088/services/collector/event -H "Authorization: Splunk $TOKEN" -d '{
"event": { "stuff": "value" } }'
{"text":"Success","code":0}
root@splunk:/opt/splunk/bin#
I have verified my wall is very sturdy. Or at least it was yesterday.
In Splunk you should go to
Settings > Data inputs > HTTP Event Collector
Then click the Global Settings button at the top of the page.
On the Edit Global Settings page make sure the All Tokens option is enabled.
As the error says, your url is wrong.
See http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/UsetheHTTPEventCollector
Your url should be http://10.0.0.148:8088/services/collector/event
Hi,
There are differences around what the URL should be, please look here:
http://dev.splunk.com/view/event-collector/SP-CAAAE7F
I have tried both variants - both fail whether i use /event on the end or not.
Thanks
James
Could be an issue with your postman plugin. Have you tried using curl? Also, is your collector running with SSL enabled? you will need to use https in your url if it is
EDIT
Also, the canonical documentation for the API is here: http://docs.splunk.com/Documentation/Splunk/6.3.1511/RESTREF/RESTinput#services.2Fcollector
Hi,
I tried with both Postman (default settings) and standard Chrome. I haven't tried curl yet. My collector doesn't have SSL enabled either.
Thanks for the link, most informative.
It is strange that I have two completely bog-standard vanilla Splunk installations and neither one of them responds to that path on that port.
Are you actually getting a 404 in response? If you are it can be only one of two things
Have you tried to access the rest enpoint from the splunk UI? You can do this like
`|rest /services/collector/ack'
If you get errors there the collector might not be properly configured. If you get no errors there then you may be making the request incorrectly - check the documentation of the tool you are using
Just to clarify, you're not using http://10.0.0.148:8088/services/collector -H 'Authorization: Splunk 76805875-741A-40EA-920E-F7BB1EAA6CBE' -d '{"event":"Hello, World!"}'
as a URL are you?
Hi there,
I think we are making some progress. It is definitely a 404 error I am getting.
I tried curl on the local (CentOS7 Minimal) box against localhost and I got an accepted event, so it would appear that the service although enabled is bound to localhost only at the moment and not the correct network adapter - or there is a setting preventing access to the service across the network.
Interesting how this is manifested on a Windows installation as well. But if I can get it working on the Linux box across the network then that would be preferable.
To clarify, Postman and Chrome still fails across the network (flat LAN) but curl will work with exactly the same settings but using localhost instead.
Thanks a lot for your help so far.