By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Firehose Splunk HEC - Server error

0

Hello gurus,

I am trying to send data to Splunk through Firehose. I have a Splunk HEC endpoint that has been provided to me along with a HEC token. When I use the HEC endpoint and token with Curl/Postman, I am able to send data to Splunk but when I configure it with Firehose, I get this error - Data delivery to Splunk failed due to a server error from the HEC node. Make sure HEC endpoint or the Elastic Load Balancer is reachable and is healthy.

There are no other details provided so I am unable to understand what the underlying cause is. The requests also do not seem to be reaching the destination. This is the format of the Splunk HEC that I am using - https://<<FQDN>>/platform/splunk/hec/v1

Any help I can get with this is much appreciated as I am clueless. Thanks in advance.

  • Adding additional information here based on points provided by the re:Post agent AI answer -

    1. I do not have a VPC and hence no security group as well
    2. Even with this, I would have expected requests to hit the Splunk HEC nodes? ATM I can't see any requests.
    3. Version 7.x
    4. Verified. The token works with Curl and Postman
    5. The index is valid and has been verified with Curl/Postman
    6. & 7) Will try these options but I'd have thought that the loadbalancer before Splunk server would at least see requests coming in
    7. The HEC health endpoint works fine and is able to respond to Curl and Postman requests
    8. Destination error logs appear in an s3 bucket I have configured
    9. No transformation and hence no lambda involved
asked a month ago36 views
1 Answer
0

When encountering a server error from the Splunk HEC node while using Amazon Data Firehose, there are several steps you can take to troubleshoot and resolve the issue:

  1. First, verify that your Firehose can access the Splunk platform in your VPC. Ensure that the necessary network configurations and security groups are set up correctly to allow communication between Firehose and your Splunk endpoint.

  2. If you're using a load balancer in front of your Splunk HEC nodes, make sure you're using either a Classic Load Balancer or an Application Load Balancer with duration-based sticky sessions enabled. This helps maintain consistent connections between Firehose and the HEC nodes.

  3. Check that your Splunk platform meets the required version (6.6.X or later) to ensure compatibility with Firehose.

  4. Verify that the HEC token you're using is valid and enabled in your Splunk configuration. Double-check that you've entered the correct token in your Firehose settings.

  5. Ensure that the data being sent to Splunk is formatted correctly and that the HEC token and input event are configured with a valid index in Splunk.

  6. Review the Firehose configuration and increase the value of HECAcknowledgmentTimeoutInSeconds in the Splunk destination configuration of your Firehose stream. This gives Splunk more time to process and acknowledge the incoming data.

  7. Similarly, increase the value of DurationInSeconds under RetryOptions in the Splunk destination configuration. This allows Firehose to retry failed deliveries for a longer period.

  8. Check the health of your HEC endpoint. Ensure that the Splunk cluster is running properly and that there are no issues with the HEC configuration on the Splunk side.

  9. If the issue persists, check if your data appears in the Amazon S3 backup bucket. When uploads to Splunk fail due to server errors, Firehose automatically retries and then backs up the data to S3 if all retries fail.

  10. If you're using data transformation with a Lambda function, ensure that your function never returns responses with a payload size exceeding 6 MB, as this can cause issues with data delivery.

By systematically going through these steps, you should be able to identify and resolve the underlying cause of the server error from the HEC node. If the problem continues, you may need to work with your Splunk administrator to further investigate any potential issues on the Splunk side.
Sources
Troubleshooting Splunk - Amazon Data Firehose
Handle data delivery failures - Amazon Data Firehose

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions