All Apps and Add-ons

App shows 200, but no data

brreeves_splunk
Splunk Employee
Splunk Employee

G'day!

My Health Post app on my phone shows data upload succeeded and the logs show that it's getting 200's in response...but no data shows in my configured index per the HEC token (and the video).

I've checked my token from outside (so no firewall issue). I turned off https because I'm not currently serving a cert on my HEC port, and I use a reverse proxy to get to the front-end UI.

I'm open to suggestions, but I think at this point it may be how the iOS app translates my Splunk URL into a HEC endpoint...

0 Karma

woodcock
Esteemed Legend

If you are sure that your data is coming into the Indexers, check the following (each of this will create a log in index=_*😞

1: If you are using an `index` value that is not defined:
1a: If you have `lastChanceIndex` defined, it will be there.
1b: If not, it will be dropped.
2: If your data is `malformed` then:
2a: If you have `malformedEventIndex` defined, it will be there.
2b: If not, it will be dropped.
3: If the date is too old, it will be dropped (see `MAX_DAYS_AGO`).
4: If the date is too far in the future, it will be dropped (see `MAX_DAYS_HENCE`).
5: If the date is interpreted incorrectly, you may be looking for it in the wrong place; it use to be that `All time` used `+Infinity` but in some versions of Splunk, splunk changed it to `now` but in the very latest 8.0.2 it is back to `+Infinity`".  In any case use the `Advanced` section of the `Timepicker` and use `0` for `Earliest` and `@d+20d` for `Latest`.
0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

Even before any of this ^ wouldn't it show in the HEC Metrics that something is actually hitting?

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

Also I did an Real Time 1min window and sent backfill data. Nothing showed.

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

I tested this with my reverse proxy config removed, local IPs, on the same local network as the instance last night, with the same result 😞

0 Karma

nickhills
Ultra Champion

What URL do you have configured on your handset app?

If my comment helps, please give it a thumbs up!
0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

any more thoughts @nickhillscpl ?

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

I've tried the following (both http and https, with enabling and disabling SSL respectively in the HEC config):

  • internal IP while on the same wifi network with reverse proxy configuration removed.
  • external url which goes through nginx reverse proxy with both 8088 and 443 as ports

The one thing I haven't done is reconfigure my port forwarding and reverse proxy config so that my external URL points directly at my Splunk instance.

0 Karma

nickhills
Ultra Champion

What actual Address are you using for the endpoint?
It should be yourhost:8088/services/collector/event

If my comment helps, please give it a thumbs up!
0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

So the field in the app asks for the Splunk URL. Not the HEC endpoint. Since I use reverse proxy for the UI, I tried that. But I've also tried just putting the beginning bit of the HEC endpoint, assuming that it would add the /services/collector/event bit.
When I put in the base URL (without the reverse proxy stuff) it says successful, but my DMC shows nothing, and there's no data 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...