however when setting up the token you
get to also select a sourcetype

Wouldn't the issue here be that your using a field extracted sourcetype that requires a time field? I believe a non-field extracted sourcetype would have worked just fine (or even not specifying the sourcetype at all).

However you could provide feedback to the docs team around this

That's what I thought, however when providing a time in the event Json, and selecting the _json structured sourcetype, it would not work, as none of the examples spoke to the importance of the selected sourcetype when following the provided examples, this wasted a lot of troubleshooting time.

I would suggest that the sample curl in the doc's include a time element, as that is key to how Splunk works, rather than simply sending a string message, which shows a successful post but does not get indexed.

Please do click Accept on your answer and do include all of this feedback on the docs page.

As per woodcock please accept your answer, however I've used that test curl command before without issue which implies that it might be something related to your chosen sourcetype.

Anyway, the docs team is open to feedback!

Cuyose, the Splunk doc team is very receptive to feedback. If you submit your suggestion using the feedback form on the bottom of the topic that needs improvement, the doc team will receive it and can take action on it. Sorry that the process was more difficult than it needed to be!

Hey PowerPacked, thanks for your answer. I see that the events are logged successfully in the index. It has indeed received all the events that I sent. However, I don't know how to see those events. I am logged in as admin. Any ideas? Thanks!

Nevermind, I found the problem. Firstly, it was because the index was not set to "main", and the other was the host url. It wasn't "https". Fixing both made the logs pop up in my dashboard. Thank you!

Hi @Cuyose

Do you got fixed the issue?, we are facing same issue verified all the Token,Index names. Able to see event got logged into _introspection.log but not able see the event info at any index( main or customIndex)

Thanks, all of this was checked, data is not showing up in any index. My best assumption is it may be permissions related, either having access to view or within the backend with permissions to write. As I stated _introspection shows the metrics of the event it saw come in successfully, but on the index management page within splunk, no events are being added to any index.

Is there some condition where an event will not get written to an index, and not log an error in _internal?

Is your HEC instance a heavy forwarder or indexer? Is the data going to a new index? Is the index created?
Search for a larger time range?

This is on standalone enterprise test instance. indexes are created and searchable.

I am even seeing it was indexed in the _introspection logs, but just cant search it
{"datetime":"07-09-2018 11:59:27.627 -0700","log_level":"INFO","component":"HttpEventCollector","data":{"token_name":"hectest","series":"http_event_collector_token","transport":"http","format":"json","total_bytes_received":50,"total_bytes_indexed":14,"num_of_requests":1,"num_of_events":1,"num_of_errors":0,"num_of_parser_errors":0,"num_of_requests_to_disabled_token":0,"num_of_requests_in_mint_format":0}}

Did you expand your time range and search for a longer period to account for any timestamp/timezone issues?

Searching all time, still nothing

I should note, I am admin, full privilages