Getting error "channel unsupported" when sending audit logs to Splunk

Lenses are not sending events correctly to Splunk. Getting the error messages such as

Splunk channel unsupported content-type

What could be the issue?

In the case of Splunk, Lenses allows access to events via /services/collector/raw.

Based on the description, it may not have granted access to the Lenses address for Splunk to collect the data. A test that can be performed via a curl commend using the Splunk HEC endpoint and a valid Splunk token. Eg:

curl "" -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" -d '1, 2, 3... Hello, world!'

See if you get the correct response code and you can see the event in Splunk.

You may want to test this from the Lenses endpoint (pod, docker etc.) to ensure there is network connectivity to the Splunk HEC endpoint.