Getting Data In

Http Event Collector CURL errors with {"text":"Invalid token","code":4} or "Empty reply from server" using Windows

sfortier99
Engager

I configured HTTP Event Collector and am trying to test it with:

curl -k  https://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*"  -d '{"event": "hello world"}'
error:  {"text"."Invalid token","code"4}

I also tried:

curl -k http://localhost:8088/services/collector/event -H "Authorization: Splunk 8111111111111*" -d "{\"event\":\"hello world\"}"

and I get response curl: (52) Empty reply from server

Running Windows Server 2012 R2

Why is this not working?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try (verify the token value is correct and same as what you generated in Splunk)

curl -k  https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111'  -d '{"event": "hello world"}'

View solution in original post

KrishatSplunk
Observer

If you are using deploment server to create the token and push it to your heavy forwarders where it should be actually authenticate then you have to:
1. To make sure you change useDeploymentServer flag to true as below.

 

useDeploymentServer = 1

 

When this option is set to 1 and you make UI-based HEC changes on the deployment server, those changes are placed directly in the $SPLUNK_HOME/etc/deployment-apps/splunk_httpinput/ folder, rather than in $SPLUNK_HOME/etc/apps/folder. 

Because if  your inputs changes is there in the $SPLUNK_HOME/etc/apps/<anyapp>/inputs.conf  on deployment server and also in your Heavy forwarder . Then the rest/curl call to token will end up in Invalid token response code 4.

 

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

How did you create your token? Did you manually add a stanza to conf? If so which conf file, and can you show the stanza?

If you log into the Splunk UI and go to Settings->Data Inputs->HTTP Event Collector does your token show in the list?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try (verify the token value is correct and same as what you generated in Splunk)

curl -k  https://localhost:8088/services/collector/event -H 'Authorization: Splunk 8111111111111'  -d '{"event": "hello world"}'
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...