Re: Debug HEC input

vadimm · ‎05-15-2020

How debug HEC input?
To see incoming JSON?

PavelP · ‎05-15-2020

Hello @vadimm

what is a problem you facing with? Do you need to debug the HEC input configuration or data itself? To see incoming JSON on the wire or before, during and after splunk processing?

to see JSON transmitted on the wire use tcpdump for HTTP input, some MitM Proxy for HTTPS input. Much easier if you can access the sending client.

Describe the situation with more than two sentences.

vadimm · ‎05-17-2020

On wire - not variant.
HTTPS and computer is same. On wire nothing emitted.
I get "Unable parse JSON" at DB Connect 3.3.0.
Want debug it.

PavelP · ‎05-17-2020

@vadimm, describe your envrionment. First you mentioned HEC input, now you mentioned DB Connect, they are not related 🙂

vadimm · ‎05-18-2020

They is completely related 🙂
Output of DB Connect is input for HEC 🙂

PavelP · ‎05-18-2020

your are right. But if you get an error on the DB Connect input phase, why you try to debug the HEC ?

please describe your environment. You wrote: HTTPS and computer are the same - what do you mean by this? Is this pipeline correct? And it is all on one and the same system? :

SQL DB -> DB Connect input -> Splunk -> HEC (HTTP Event Collector) input -> Splunk?

vadimm · ‎05-18-2020

Guess where DB connect use JSON format 😉
I`m wrote "Output of DB Connect is input for HEC".
Debug HEC input is logical, not?

HEC data input and add-on DB Connect installed on one computer. DB Connect use HTTPS and HEC, not pipeline :^-)

At last chain, "Splunk" is excessive. And not "DB Connect INPUT" 🙂
SQL DB - DB Connect - HEC

Debug HEC input

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability