Data Manager

Troubleshooting Manual

Troubleshoot the HEC Configuration

The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. Data Manager creates HEC tokens for each data source. The following table shows the HEC token names used for each data source that is being onboarded.

Data Source being onboarded HEC token name
AWS GuardDuty data-manager-guardduty_<input_id>
AWS SecurityHub data-manager-securityhub_<input_id>
AWS IAM Access Analyzer data-manager-iam-aa_<input_id>
AWS CloudTrail data-manager-cloudtrail_<input_id>
AWS IAM Credential report and Metadata data-manager-lambda_<input_id>
AWS CloudWatch Logs data-manager-cwl_<input_id>

Data is not arriving via HEC

Data is not arriving via HEC.

Cause

The HTTP Event Collector is not configured correctly.

Solution

  1. Make sure the HEC token has been created successfully. Each HEC token name has a Data Manager Input ID. You can find the input ID in the URL shown in the Data Input Details page for each input.
  2. Navigate to Settings > Data inputs and select HTTP Event Collector.
  3. Make sure the HEC token is enabled.
  4. Make sure the HEC token has the Indexer Acknowledgement enabled for CloudTrail, GuardDuty, SecurityHub, IAM Access Analyzer, and CloudWatch Logs.
  5. If any input is missing a HEC token, delete the Input and recreate it.
    1. Click on the "delete" button in the Data Input Details panel or in the Data Management page.
    2. Follow the instructions to delete the Cloudformation Stacks/StackSet from the AWS accounts and then delete the input.
    3. If you are not able to delete an input because the resources still exist on AWS accounts, double-check your Cloudformation stacks or StackSet and stack instances in all data accounts and regions which were onboarded in that input.
  6. If the issue still persists, check the Data manager app logs for more information about which resources still exist and look for any other exceptions that indicate where the error is located.
  7. If the configuration is correct and your data still cannot be found, Contact Splunk Support.
Last modified on 05 September, 2024
Troubleshoot events and logs   Prerequisites for troubleshooting AWS data ingestion

This documentation applies to the following versions of Data Manager: 1.11.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters