Internet of Things (IoT) and Industrial IoT (IIoT)

 View Only
last person joined: 13 days ago 

Forum to discuss the HPE Aruba Networking Edge Service Platform and all associated products and solutions for any type of IoT or IIoT application. Included are IoT technology partners (eg. EnOcean, Microsoft, and Zebra) and IIOT technology partners (eg. ABB and Siemens)
Back to discussions
Expand all | Collapse all

How-to IoT transport telemetry-https -> Splunk HEC?

This thread has been viewed 7 times

  • 1.  How-to IoT transport telemetry-https -> Splunk HEC?

    Posted Oct 02, 2023 03:18 AM

    Has anyone successfully been able to connect and send to the Splunk http event collector (HEC) using telemetry-https ? I know that web socket is preferred but on-prem Splunk Enterprise does not support it and a third party add-on is not installing correctly (a different support issue).

    I am able to connect and write to the Splunk index using CLI cURL

    POST./services/collector/raw.HTTP/1.1..Host:.172.20.0.10:8088..User-Agent:.curl/8.0.1..Accept:.*/*..Authorization:.Splunk.c40346d6-02f3-4472-aafa-208406847242..Content-Length:.45..Content-Type:.application/x-www-form-urlencoded....{"event":."Event19",.."sourcetype":."manual"}

    but it fails from the IoT transport

    POST./services/collector/raw.HTTP/1.1..Host:.172.20.0.10:8088..Content-Type:.application/json..Authorization:.Bearer.c40346d6-02f3-4472-aafa-208406847242..Accept:.application/json..Content-Length:.2336..Expect:.100-continue....

    I think the keyword "Bearer" may be the issue. Splunk HEC requires "Splunk" before the token, but this fails as well

    Authorization:.Bearer.Splunk.c40346d6-02f3-4472-aafa-208406847242

    I have tried entering the token in the URL but that is not allowed by Splunk on-prem, as well as many other tries with various syntax. Hoping someone has set this up and will share the how-to thank you, Matthew



  • 2.  RE: How-to IoT transport telemetry-https -> Splunk HEC?

    EMPLOYEE
    Posted Oct 05, 2023 09:45 AM

    Your server needs to support the Aruba telemetry-https format, which does use a Bearer token for it's authorization. Does your Splunk server understand telemetry-https?? If so, it should accept the Bearer token. And if you were to go beyond the authentication token, it may be that the messages are not understood.

    Probably best to work with Splunk support on this one, as on the Aruba side it is what it is and you can't change too much.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: How-to IoT transport telemetry-https -> Splunk HEC?

    Posted Oct 11, 2023 08:56 PM

    Thank you for the response @Herman Robers I will work with Splunk support.


    Original Message