geoffmartin
commented
2 months ago I confirm the problem and that the solution worked for me. Thanks Nick!
Closed nbertram-splunk closed 1 month ago
geoffmartin
commented
2 months ago I confirm the problem and that the solution worked for me. Thanks Nick!
ikheifets-splunk
commented
1 month ago Thanks @nbertram-splunk @geoffmartin !
You are completely right ?/index it's wrong HTTP GET param, I prepared PR with fix.
ikheifets-splunk
commented
1 month ago @mstopa-splunk @rjha-splunk Probably we index will move to json payload (together with sourcetype).
I think it's strange that during POST query we using GET params
mstopa-splunk
commented
1 month ago @mstopa-splunk @rjha-splunk Probably we
indexwill move to json payload (together withsourcetype). I think it's strange that duringPOSTquery we usingGETparams
@ikheifets-splunk you're right - both solutions work for me, but with preference for moving to the json payload
Line 178 and 184 of package/sbin/entrypoint.sh need to be updated to the following (respectively). The addition of the
/in the URL causes the "?index" parameter not to be read in properly so the event will end up in the default index of the HEC token rather than going to the index specified in the URL. Removing the "/" allows it to function correctly.if curl -s -S ${NO_VERIFY} "${HEC}?index=${SC4S_DEST_SPLUNK_HEC_FALLBACK_INDEX}" -H "Authorization: Splunk ${SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "sc4s:probe"}' 2>&1 | grep -v '{"text":"Success"'if curl -s -S ${NO_VERIFY} "${HEC}?index=${SC4S_DEST_SPLUNK_HEC_EVENTS_INDEX}" -H "Authorization: Splunk ${SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "sc4s:probe"}' 2>&1 | grep -v '{"text":"Success"'