Working with Splunk 6.5.2. Using following curl command data ingestion fails:
$ curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk D61EE079-8108-4DC8-ADF6-F139402993" -d "{\"hello\": \"world\"}"
Response:
{"text":"No data","code":5}
This was working fine with Splunk 6.3 and 6.4.
Issue was that HEC accepts data in specified format. Sending data as {"time": "", "event":{"hello": "world"}} worked.
Issue was that HEC accepts data in specified format. Sending data as {"time": "", "event":{"hello": "world"}} worked.
@phagunbaya - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
Check that you do not have useDeploymentServer = 1 in the HEC config on your HF. You ONLY want that on at the DS. Sending it down to the HF causes it to look for tokens etc under deployment-apps instead of apps.