Splunk log collector is receiving error code 400 when trying to pull the logs from Web Security Service(WSS):
2021-01-11 14:10:46,070 INFO 140160265734080 - SWSS: Starting data collection...
2021-01-11 14:10:46,355 ERROR 140160265734080 - 2021-01-11 14:10:46 status=error, msg='Server failed to fulfill the request', code='400'
2021-01-11 14:11:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2021-01-11 14:11:46,800 ERROR 140317862344640 - 2021-01-11 14:11:46 status=error, msg='Server failed to fulfill the request', code='400'
Manually downloading the logs from the Portal appears to be fine.
What is happening is that the API start date for 1st call is more than 30 days out – the start date is July 1 (can look at startDate parameter and using Epoch calculator at https://www.epochconverter.com/ to determine) and end date is 0 (now). The 400 message returned is stating that
message Date range between startDate and endDate is too big. Expected value within 30 days but got: 194 for customer xxxx
Just need to change the start date.
Splunk SIEM solution collecting logs using SyncAPI
Splunk WSS plugin downloaded and leveraged
Change the start time from the SyncAPI client request to be within 30 days of current time
The issue is the splunk TA app. The customer recreated the splunk App, and the start date parameters wasn't updated.