Solved: Re: Splunk 6.5.2: Why am I unable to add data via ...

phagunbaya · ‎01-30-2017

Working with Splunk 6.5.2. Using following curl command data ingestion fails:

$ curl -k  https://localhost:8088/services/collector/event -H "Authorization: Splunk D61EE079-8108-4DC8-ADF6-F139402993" -d "{\"hello\": \"world\"}"

Response:

{"text":"No data","code":5}

This was working fine with Splunk 6.3 and 6.4.

phagunbaya · ‎03-12-2017

Issue was that HEC accepts data in specified format. Sending data as {"time": "", "event":{"hello": "world"}} worked.

View solution in original post

phagunbaya · ‎03-12-2017

Issue was that HEC accepts data in specified format. Sending data as {"time": "", "event":{"hello": "world"}} worked.

aaraneta_splunk · ‎03-12-2017

@phagunbaya - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

starcher · ‎02-09-2017

Check that you do not have useDeploymentServer = 1 in the HEC config on your HF. You ONLY want that on at the DS. Sending it down to the HF causes it to look for tokens etc under deployment-apps instead of apps.

Splunk 6.5.2: Why am I unable to add data via HTTP Event Collector?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...