I'm running a cloud trial of Splunk and have set up an HTTP collector. Data is being delivered to the endpoint via cURL. See the following command and response:
curl -k https://input-prd-p-lmgm59gf8vp3.cloud.splunk.com:8088/services/collector -H "Authorization: Splunk 3c95e4e7-daa7-4c57-94b9-6f9df02c16d7" -d '{"event": "hello world"}'
{"text":"Success","code":0}
Despite repeated execution of the command, the Data Summary remains blank.
Does anyone know how to display the data submitted through cURL?
Try this (set Time picker
to All time
😞
[|tstats max(_time) AS time WHERE index=* AND TERM("hello world") BY host source sourcetype index
| format
| rex field=search mode=sed "s/time/earliest/"] hello world
Cut and paste this EXACTLY as-is.
If you have success, data is in Splunk. Check the index=main
if it is the case that you have set HEC to index it there.
Search for source="http:<your_hec_input_name>" (index="main")
Check that for AllTime, I don't know when did you ingest that dummy data and it will have the time of when you indexed it.
If still no results, is this a Single Splunk Instance?