I have a HEC input set up on my Splunk v. 8.1.1 server and I am trying to send metrics to it, ie.:
curl -k https://$SPLUNK_HOST:$HEC_PORT/services/collector/raw -H "Authorization: Splunk $HEC_TOKEN"
-d "
{'time': 1610123044, 'fields': {'metric_name': 'kernel.all.load', '_value': 2.8499999046325684, 'instance_id': 1, 'instance_name': '1 minute'}}
{'time': 1610123044, 'fields': {'metric_name': 'kernel.all.load', '_value': 3.8299999237060547, 'instance_id': 5, 'instance_name': '5 minute'}}
{'time': 1610123044, 'fields': {'metric_name': 'kernel.all.load', '_value': 3.6700000762939453, 'instance_id': 15, 'instance_name': '15 minute'}}"
(Note: line breaks within the quotes added for clarity)
I get a positive response from the server every time:
{'text': 'Success', 'code': 0}
But no data is saved in the index. I have the default index set for the HEC input. If I delete or disable this index I get the message on the main page in Splunk, ie.:
Received event for unconfigured/disabled/deleted index=pcp_hec with source="source::http:PCP via HEC" host="host::localhost:32926" sourcetype="sourcetype::httpevent". So far received events from 1 missing index(es).
When I restore the index back the message disappears, but still no data is saved under the index. I cannot figure out what is wrong in my case, because the official documentation is very brief on this subject. I found two threads on this forum (1, 2) and a few similar ones elsewhere, but the answers only contained the same example from the documentation. I tried to include the metadata from the examples, but that did not solve the problem. Nowhere does it say what the perflog sourcetype actually is. I also tried log2metrics_json for the sourcetype, but it did not help either.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
