Troubleshoot the HEC Configuration

The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. Data Manager creates HEC tokens for each data source. The following table shows the HEC token names used for each data source that is being onboarded.

Data is not arriving via HEC

Data is not arriving via HEC.

Cause

The HTTP Event Collector is not configured correctly.

Solution

1. Make sure the HEC token has been created successfully. Each HEC token name has a Data Manager Input ID. You can find the input ID in the URL shown in the Data Input Details page for each input.
2. Navigate to Settings > Data inputs and select HTTP Event Collector.
3. Make sure the HEC token is enabled.
4. Make sure the HEC token has the Indexer Acknowledgement enabled for CloudTrail, GuardDuty, SecurityHub, IAM Access Analyzer, and CloudWatch Logs.
5. If any input is missing a HEC token, delete the Input and recreate it.
   1. Click on the "delete" button in the Data Input Details panel or in the Data Management page.
   2. Follow the instructions to delete the Cloudformation Stacks/StackSet from the AWS accounts and then delete the input.
   3. If you are not able to delete an input because the resources still exist on AWS accounts, double-check your Cloudformation stacks or StackSet and stack instances in all data accounts and regions which were onboarded in that input.
6. If the issue still persists, check the Data manager app logs for more information about which resources still exist and look for any other exceptions that indicate where the error is located.
7. If the configuration is correct and your data still cannot be found, Contact Splunk Support.