Splunk Ingest fails with HTTP 401

When performing an ingest from Splunk, you may see a failure on queries after the first with HTTP 401 -- {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}. This is caused by the polling frequency being greater than the Splunk session timeout.

By default, Flume is configured to poll Splunk every hour to pull data, however this is configurable with the following parameter:

# interset_auth_events_0_0_splunk.sources.splunkAdSource.pollPeriodSeconds = 3600

Uncomment this parameter, change the value to be below your Splunk session timeout (ideally by a few minutes), and restart Flume. Note that this value is specified in seconds.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request