Indexer acknowledgement is an additional functionality of the Splunk HEC. In the previous examples, after submitting the cURL command, Splunk would return a success message. However, such a message just confirms the event was received. It does not confirm that the event was actually indexed by Splunk. This is where the indexer acknowledgement functionality adds value.
If some or all of your HEC events are required to be captured, using HEC indexer acknowledgement will allow for checking indexing success and resending events which fail to index.
Indexer acknowledgement is configured at an HEC token level. Therefore, some tokens can include the acknowledgement functionality while others may not.
To edit the token you created in the exercises before, go to the HTTP Event Collect input screen:
- Go to Settings | Data Inputs
- Click on HTTP Event Collector
- Click on the Edit button for your token in the Actions column:
- Check the box next to Enable indexer acknowledgement and then click on Save
Now, the original cURL statement needs to be updated to account for the acknowledgement functionality. The modified cURL is as follows, with the new updated bolded:
curl -k https://localhost:8088/services/collector?channel=0aeeac95-ac74-4aa9-b30d-6c4c0ac581ba -H 'Authorization: Splunk e848d8a2-43f4-446c-af9c-e5cd8d7b26a1' -d '{"event":"Mobile Device Event - Something happened"}'
The long number after the = sign is an example of a GUID, which can be created online on sites such as guidgenerator.com. The specific GUID used is not important; however, it must also be used when checking the index acknowledgement status.
After submitting the preceding cURL successfully, the following message is returned:
{"text:"Success","code":0,"ackId":0}
This is a similar message as received earlier, except that now there is an additional ackId field returned with a numeric identifier, in this case, 0.
Submit the event another four times. Notice as you submit the events again that the ackId will increment for each submission. Check the acknowledgement status using the following command:
curl -k https://localhost:8088/services/collector/ack?channel=0aeeac95-ac74-4aa9-b30d-6c4c0ac581ba -H 'Authorization: Splunk e848d8a2-43f4-446c-af9c-e5cd8d7b26a1' -d '{"acks": [0,1,2,3,4]}'