I am trying to send notifications to an HEC in Splunk Cloud (self-service) using a json webhook from Chef Automate v2. The token I use is valid and I get success when using curl with an authentication header but not when using the following URL from Automate (actual info replaced with <> placeholders): <protocol>://input-<splunk_cloud_instance>.cloud.splunk.com:8088/services/collector/<token>
The error shows: "failed to post. Code 404. Body: {"text":"The requested URL was not found on this server.","code":404}"
Is there something different I need to do in the URL to get the message to post properly?
I found the issue. By default query strings are disabled for auth with HEC in Splunk Cloud. The documentation tells me to submit a ticket to an admin to get add allowQueryStringAuth=true to my token in the file: $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf. The problem is that I am using Splunk Cloud free to do testing for integration with Chef products and so I can't submit a ticket. Is there a way to do this without buying a support contract? (especially when you are just doing integration testing 🙂