Hello.How can I troubleshoot a cribl destination (Splunk HEC) not sending data? destination is seen live/green check, but no data flowing per tcpdump on source or destination. this goes out through a router and same data arriving in the main index correctly but want in a separate one. curl from cribl to splunk works (`curl -vk https://172.16.x.y:8088/services/collector/event -H 'Authorization: Splunk TOKEN' -d '{"event":"test"}'`)Thanks
Page 1 / 1
my first step would be to send to `nc` running on a local host and interrogate the actual payload
Trying that but I suspect that I will get nothing. Destination out traffic charts are at 0.Not sure if rules order matter in router destination but tried to change those as I have few disabled one/set false.
For now, not getting expected data. If using destination Test option, I get it in tcpdump and splunk. I would think the problem is likely not in destination but before. But not sure why as the main routing is working and not this one.
Running the test from within the HEC destination doesn't involve routing in any way
yes and this part is working. so that means destination is configured fine, right? in this case, problem is earlier
strangely after switching back localhost to splunk system, now, I have got data in tcdpump 8088but strange correct/incorrect marking...all in aws network
but no data in splunk UI
the test function should produce data in splunk, if you specify the correct index
fix that first. then tackle routing config
Ok. got it. that was the router "final" option check. now got it in splunk
Thanks
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.