I found your Splunk Add-on that supports websockets and thought it would work great for a side project I am working on.

I could not find any configuration doc, so I started guessing and looks like I needed to update /Applications/Splunk/etc/apps/protocol_ta/README/inputs.conf.spec based on messages in the log. I am still getting the following error and hope this is just an oversight on my end.

I have pasted the updated inputs.conf.spec for your review and the errors in the log. There were a few articles on the answers site, but note of them resolved the issue.

I also do not see configuration options in DataInput and assume this is due to the error at startup (this based on the content in protocol_manager.xml)

Log Snipit:
12-06-2017 15:39:11.459 -0500 INFO SpecFiles - Found external scheme definition for stanza "powershell2://" with 2 parameters: script, schedule
12-06-2017 15:39:11.459 -0500 INFO SpecFiles - Found external scheme definition for stanza "powershell://" with 2 parameters: script, schedule
12-06-2017 15:39:11.459 -0500 INFO SpecFiles - Found external scheme definition for stanza "protocol://" with 27 parameters: protocol, port, bind_address, use_ssl, tcp_nodelay, receive_buffer_size, tcp_keepalive, so_linger, keystore_pass, keystore_path, truststore_pass, truststore_path, client_auth_required, ip_version, is_multicast, udp_receive_buffer_size, set_broadcast, multicast_group, multicast_ttl, set_multicast_loopback_mode, session_timeout, heartbeat_period, app_name, output_type, server_verticle_instances, handler_verticle_instances, output_verticle_instances
12-06-2017 15:39:11.460 -0500 INFO SpecFiles - Found external scheme definition for stanza "splunktcptoken://" with 1 parameters: token
12-06-2017 15:39:14.412 -0500 ERROR ModularInputs - Introspecting scheme=protocol: script running failed (exited with code 1).
12-06-2017 15:39:14.412 -0500 ERROR ModularInputs - Unable to initialize modular input "protocol" defined inside the app "protocol_ta": Introspecting scheme=protocol: script running failed (exited with code 1).
12-06-2017 15:39:14.429 -0500 INFO DS_DC_Common - Initializing the PubSub system.
12-06-2017 15:39:14.429 -0500 INFO DS_DC_Common - Initializing core facilities of PubSub system.

Any help is greatly appreciated.

File:

[protocol://websocket]

*------------
*General settings
*------------

*protocol to use  , one of  [tcp , udp, http, websocket , sockjs]
protocol=websocket

*network port to open.For ports < 1024 , you'll need to be running with root permissions.
port=9000

*network interface address to bind to , IP or hostname , defaults to 0.0.0.0 (listen on all interfaces)
bind_address=0.0.0.0

*whether or not (0,1) to use SSL for TCP or HTTP
use_ssl=0

*------------
*TCP settings
*------------

*whether or not (0,1) to enable TCP No Delay
tcp_nodelay=1

*buffer size (number)
receive_buffer_size=9000

*whether or not (0,1) to enable TCP Keep Alive
tcp_keepalive=1

*SO Linger time in seconds.Using a negative value will disable it.
so_linger=5

*-------------------------------------------------------------------------------
*SSL settings (uses your own Java Keystore , NOT Splunk's internal Certificates)
*Refer to http://vertx.io/core_manual_java.html#ssl-servers
*-------------------------------------------------------------------------------

*Java Keystore password
keystore_pass=password

*Java Keystore path
keystore_path=/

*Java Truststore password
truststore_pass=password

*Java Truststore path
truststore_path=/

*whether or not (0,1) client authentication is required
client_auth_required=0

*------------
*UDP settings
*------------

*v4 or v6
ip_version=v4

*whether or not (0,1) this UDP socket is also multicast
is_multicast=0

*buffer size (number)
udp_receive_buffer_size=9000

*whether or not (0,1) to set broadcast mode
set_broadcast=0

*IP address pattern of the network interface
multicast_group=0.0.0.0

*time to live (number)
multicast_ttl=900

*whether or not (0,1) to set multicast loopback mode
set_multicast_loopback_mode=0

*---------------
*SockJS Settings
*---------------

*session timeout (number)
session_timeout=900

*heartbeat period (number)
heartbeat_period=10

*application name. Defaults to "splunk" , so the URI would be http://somehost/splunk
app_name=splunk

*---------------
*Custom Data Handler
*---------------

*custom data handler name (a vertx polyglot verticle that you've placed in the protocol_ta/bin/datahandlers directory)
**handler_verticle = <value>

*A JSON Config String to pass to the handler, example :  {"foo":"1","zoo":"goo"}
**handler_config = <value>

*------------
*Data Output
*------------

* One of [stdout | tcp | hec ]. Defaults to stdout.
output_type = stdout

* For tcp output.
**output_port = <value>

* For hec(HTTP Event Collector) output
**hec_port = <value>
* Defaults to 1
**hec_poolsize = <value>
**hec_token = <value>
* 1 | 0
**hec_https = <value>
# 1 | 0
**hec_batch_mode = <value>
# numeric value
**hec_max_batch_size_bytes = <value>
# numeric value
**hec_max_batch_size_events = <value>
#in milliseconds
**hec_max_inactive_time_before_batch_flush = <value>


*---------------------
*JVM System Properties
*---------------------

*additional JVM properties , these will get applied JVM wide , so be judicious in use
**additional_jvm_propertys = <value>

*-------------------------------
*Performance Tuning and Scaling
*-------------------------------

*You can increase the number of instances to utilise more cores on your server

*defaults to 1 , refer to http://vertx.io/core_manual_java.html#specifying-number-of-instances
server_verticle_instances = 1

*defaults to 1 , refer to http://vertx.io/core_manual_java.html#specifying-number-of-instances
handler_verticle_instances = 1

*defaults to 1 , refer to http://vertx.io/core_manual_java.html#specifying-number-of-instances
output_verticle_instances = 1

* Refer to http://vertx.io/manual.html#improving-connection-time
**accept_backlog = <value>