Your server needs to support the Aruba telemetry-https format, which does use a Bearer token for it's authorization. Does your Splunk server understand telemetry-https?? If so, it should accept the Bearer token. And if you were to go beyond the authentication token, it may be that the messages are not understood.
Probably best to work with Splunk support on this one, as on the Aruba side it is what it is and you can't change too much.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 30, 2023 07:06 PM
From: mwheeler
Subject: How-to IoT transport telemetry-https -> Splunk HEC?
Has anyone successfully been able to connect and send to the Splunk http event collector (HEC) using telemetry-https ? I know that web socket is preferred but on-prem Splunk Enterprise does not support it and a third party add-on is not installing correctly (a different support issue).
I am able to connect and write to the Splunk index using CLI cURL
POST./services/collector/raw.HTTP/1.1..Host:.172.20.0.10:8088..User-Agent:.curl/8.0.1..Accept:.*/*..Authorization:.Splunk.c40346d6-02f3-4472-aafa-208406847242..Content-Length:.45..Content-Type:.application/x-www-form-urlencoded....{"event":."Event19",.."sourcetype":."manual"}
but it fails from the IoT transport
POST./services/collector/raw.HTTP/1.1..Host:.172.20.0.10:8088..Content-Type:.application/json..Authorization:.Bearer.c40346d6-02f3-4472-aafa-208406847242..Accept:.application/json..Content-Length:.2336..Expect:.100-continue....
I think the keyword "Bearer" may be the issue. Splunk HEC requires "Splunk" before the token, but this fails as well
Authorization:.Bearer.Splunk.c40346d6-02f3-4472-aafa-208406847242
I have tried entering the token in the URL but that is not allowed by Splunk on-prem, as well as many other tries with various syntax. Hoping someone has set this up and will share the how-to thank you, Matthew