AEM Cloud Manager LogForwarding to Splunk Cloud - 404 Error During Credential Audit | Community
Skip to main content
G
georhe6
Level 4
June 16, 2025
Solved

AEM Cloud Manager LogForwarding to Splunk Cloud - 404 Error During Credential Audit

  • June 16, 2025
  • 1 reply
  • 416 views

I'm trying to configure LogForwarding from AEM Cloud Service to Splunk Cloud but getting a 404 error during the credential audit phase.

Error Message:

 

Error in config kind 'LogForwarding': credentials audit job failed for splunk: Error: splunk audit failed: request to the provider Splunk failed due to an unexpected status code: 404, please check credentials | [credential audit failed]

 

 

Current Configuration:

 

 
yaml
kind: "LogForwarding"
version: "1"
metadata:
  envTypes: ["dev"]
data:
  splunk:
    default:
      enabled: true
      host: "org.splunkcloud.com"
      port: 443
      token: "${{SPLUNK_HEC_TOKEN}}"
      index: "name_aem"
 

 

Splunk HEC Token is valid and enabled 

Index "caat_aem" exists in Splunk
Unsure about correct Splunk Cloud HEC endpoint URL


 

Best answer by SantoshSai

Hi @georhe6,

It seems Adobe is successfully reaching your Splunk instance, but the endpoint path or token is not being accepted, leading to a 404 Not Found error.

Please double check
1. Correct Splunk cloud HEC host format

For Splunk Cloud, the HEC endpoint host usually looks like:

http-inputs-<your-splunk-instance>.splunkcloud.com

NOT just org.splunkcloud.com

So update:

host: "http-inputs-org.splunkcloud.com"

Replace org with your actual Splunk account prefix.

You can confirm the correct HEC URL from Splunk under:

  • Settings > Data Inputs > HTTP Event Collector > [your token] > look for the full URL.

2. Check HEC token

Ensure:

  • Token is enabled

  • Enable Indexer Acknowledgment is optional but can help with tracking

  • Token has permissions to write to the index you configured (e.g., name_aem)

3. Test Token from Local cURL (Optional)
curl -k https://http-inputs-<your-prefix>.splunkcloud.com:443/services/collector/event \
  -H "Authorization: Splunk <YOUR_TOKEN>" \
  -d '{"event": "test event from Adobe"}'

You should get a {"text":"Success","code":0} response.

Updated working example

kind: "LogForwarding"
version: "1"
metadata:
  envTypes: ["dev"]
data:
  splunk:
    default:
      enabled: true
      host: "http-inputs-org.splunkcloud.com"
      port: 443
      token: "${{SPLUNK_HEC_TOKEN}}"
      index: "name_aem"

Replace "http-inputs-org.splunkcloud.com" with your actual Splunk Cloud endpoint prefix.

1 reply

SantoshSai
Community Advisor
SantoshSaiCommunity AdvisorAccepted solution
Community Advisor
June 16, 2025

Hi @georhe6,

It seems Adobe is successfully reaching your Splunk instance, but the endpoint path or token is not being accepted, leading to a 404 Not Found error.

Please double check
1. Correct Splunk cloud HEC host format

For Splunk Cloud, the HEC endpoint host usually looks like:

http-inputs-<your-splunk-instance>.splunkcloud.com

NOT just org.splunkcloud.com

So update:

host: "http-inputs-org.splunkcloud.com"

Replace org with your actual Splunk account prefix.

You can confirm the correct HEC URL from Splunk under:

  • Settings > Data Inputs > HTTP Event Collector > [your token] > look for the full URL.

2. Check HEC token

Ensure:

  • Token is enabled

  • Enable Indexer Acknowledgment is optional but can help with tracking

  • Token has permissions to write to the index you configured (e.g., name_aem)

3. Test Token from Local cURL (Optional)
curl -k https://http-inputs-<your-prefix>.splunkcloud.com:443/services/collector/event \
  -H "Authorization: Splunk <YOUR_TOKEN>" \
  -d '{"event": "test event from Adobe"}'

You should get a {"text":"Success","code":0} response.

Updated working example

kind: "LogForwarding"
version: "1"
metadata:
  envTypes: ["dev"]
data:
  splunk:
    default:
      enabled: true
      host: "http-inputs-org.splunkcloud.com"
      port: 443
      token: "${{SPLUNK_HEC_TOKEN}}"
      index: "name_aem"

Replace "http-inputs-org.splunkcloud.com" with your actual Splunk Cloud endpoint prefix.

Santosh Sai
    Terms & ConditionsAccessibility statement

    Loading footer...