Hi,
I'm trying to forward logs from logstash to Splunk using http,
and this is my logstash.conf file:
input {
file {
path => "${TEST_INPUT_PATH}"
start_position => "beginning"
}
}
output {
http {
http_method => "post"
url => "{TEST_URL}"
headers => ["Authorization", "{TEST_SPLUNK_AUTH}"]
mapping => {
"event" => "%{[message]}"
"sourceType" => "aoflow_acct_add"
}
}
}
in each change in ${TEST_INPUT_PATH} file the logs supposed to be sent to Splunk.
The problem is that in each http out, I get this error:
[2019-10-16T11:14:44,407][ERROR][logstash.outputs.http ] [HTTP Output Failure] Encountered non-2xx HTTP code 400 {:response_code=>400, :url=>"http://172.17.0.4:8088/services/collector/event", :event=>#LogStash::Event:0x3252cdd2}
This is the event data:
{
"path" => "/usr/share/logstash/log-test/log.txt",
"@timestamp" => 2019-10-16T11:14:42.652Z,
"@version" => "1",
"host" => "test-7669c9ddc4-zbthj",
"message" => "The time is: 1571224474807 "
}
- I tried to curl to this url and with this token and it worked.
- I tried to just stdout the input and it worked
so I guess something is wrong with my configuration of the http output.
Where am I getting wrong?
Thanks 