sc4s:probe curl string is incorrect, resulting in default index being used

[nbertram-splunk]

Line 178 and 184 of package/sbin/entrypoint.sh need to be updated to the following (respectively). The addition of the / in the URL causes the "?index" parameter not to be read in properly so the event will end up in the default index of the HEC token rather than going to the index specified in the URL. Removing the "/" allows it to function correctly.

if curl -s -S ${NO_VERIFY} "${HEC}?index=${SC4S_DEST_SPLUNK_HEC_FALLBACK_INDEX}" -H "Authorization: Splunk ${SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "sc4s:probe"}' 2>&1 | grep -v '{"text":"Success"'

if curl -s -S ${NO_VERIFY} "${HEC}?index=${SC4S_DEST_SPLUNK_HEC_EVENTS_INDEX}" -H "Authorization: Splunk ${SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN}" -d '{"event": "HEC TEST EVENT", "sourcetype": "sc4s:probe"}' 2>&1 | grep -v '{"text":"Success"'

[geoffmartin]

I confirm the problem and that the solution worked for me. Thanks Nick!

[ikheifets-splunk]

Thanks @nbertram-splunk @geoffmartin ! You are completely right ?/index it's wrong HTTP GET param, I prepared PR with fix.

[ikheifets-splunk]

@mstopa-splunk @rjha-splunk Probably we index will move to json payload (together with sourcetype). I think it's strange that during POST query we using GET params

[mstopa-splunk]

@mstopa-splunk @rjha-splunk Probably we index will move to json payload (together with sourcetype). I think it's strange that during POST query we using GET params

@ikheifets-splunk you're right - both solutions work for me, but with preference for moving to the json payload