Getting Data In

HTTP Event Collector: Why am I getting error "Invalid authorization" with my WEBHOOK_URL?

lpolo
Motivator

Can someone tell me why this is failing with Invalid authorization? I think that the endpoint is as documented.

WEBHOOK_URL = 'https://localhost:8088/services/collector/event'
#headers = {'Content-Type': 'application/json'}
headers={'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F', 'Content-Type': 'application/json'}


message = { "index":"main", "sourcetype":"xqe_metric", "event":"Testing"}

print WEBHOOK_URL, headers, message

connection = httplib.HTTPSConnection('localhost:8088')
connection.request('POST', WEBHOOK_URL, json.dumps(message), headers)

response = connection.getresponse()
print response.read().decode(), '/n'

Response

    <module 'time' from '/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/time.so'>   Failed="no"
http://localhost:8088/services/collector/event {'Content-Type': 'application/json', 'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F'} {'index': 'main', 'sourcetype': 'xqe_metric', 'event': 'Testing'}
{"text":"Invalid authorization","code":3} /n

alt text

1 Solution

richgalloway
SplunkTrust
SplunkTrust

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gblock_splunk
Splunk Employee
Splunk Employee

I see you are using HTTPS. Just as a side note, as you sending to your local instance, the SSL cert is probably not valid in which case the request will be rejected unless you configure you client to ignore cert validation.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, Karma would be appreciated.

lpolo
Motivator

Thanks. I saw the problem thanks to your observation.

0 Karma

shamscw
Engager

Hi Guys,

I have a similar problem - I'm using a HTTP event collector and installed an iApp for F5 load balancers.
I can see the F5 sending keys as follows from a packet capture:

Member Key: time
Member Key: host
Member Key: source
Member Key: sourcetype
Member Key: event

I can see the Splunk Server responding like this:

Member Key: text
String Value: Invalid authorization
Key: text

Member Key: code
Number Value: 3
Key: code

Where in Splunk do I configure the above Member Key which is causing an invalid authorization?

Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is solved please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Rich is correct!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The WEBHOOK_URL variable has unbalanced quotes and parens in it. If it's a not a typo in the question then it could explain the problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lpolo
Motivator

Thanks, I updated the code and response it had a typo.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...