Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Http Event Collector CURL errors with {"text":"Invalid token","code":4} or "Empty reply from server" using Windows

sfortier99
Engager
‎08-05-2016 01:29 PM

I configured HTTP Event Collector and am trying to test it with:

curl -k  https://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*"  -d '{"event": "hello world"}'
error:  {"text"."Invalid token","code"4}

I also tried:

curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*" -d "{\"event\":\"hello world\"}"

and I get response curl: (52) Empty reply from server

Running Windows Server 2012 R2

Why is this not working?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎08-05-2016 01:51 PM

Give this a try (verify the token value is correct and same as what you generated in Splunk)

curl -k  https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111'  -d '{"event": "hello world"}'

View solution in original post

Reply
Solved! Jump to solution

KrishatSplunk
Observer
‎05-02-2022 09:41 AM

If you are using deploment server to create the token and push it to your heavy forwarders where it should be actually authenticate then you have to:
1. To make sure you change useDeploymentServer flag to true as below.

 

useDeploymentServer = 1

 

When this option is set to 1 and you make UI-based HEC changes on the deployment server, those changes are placed directly in the $SPLUNK_HOME/etc/deployment-apps/splunk_httpinput/ folder, rather than in $SPLUNK_HOME/etc/apps/folder. 

Because if  your inputs changes is there in the $SPLUNK_HOME/etc/apps/<anyapp>/inputs.conf  on deployment server and also in your Heavy forwarder . Then the rest/curl call to token will end up in Invalid token response code 4.

 

0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎08-15-2016 10:40 PM

How did you create your token? Did you manually add a stanza to conf? If so which conf file, and can you show the stanza?

If you log into the Splunk UI and go to Settings->Data Inputs->HTTP Event Collector does your token show in the list?

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎08-05-2016 01:51 PM

Give this a try (verify the token value is correct and same as what you generated in Splunk)

curl -k  https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111'  -d '{"event": "hello world"}'
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...