- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How to enable HEC configuration through an app...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to enable HEC configuration through an app?
I would like to configure HEC via a deployed app, however setting disabled=0 does not seem to do the trick. I notice that there is an app called splunk_httpinput and when I enable HEC via the web UI it seems to enable it there. How can I get this running with just deploying an app dia the deployment server?
From etc/apps/splunk_httpinputs/local/inputs.conf:
[http]
disabled = 0
enableSSL = 0
I do the same in my app and it does not enable it, I can see the tokens but they are not enabled. Any guidance is much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried this to no avail, it enabelss HEC but the tokens do not show up. Plus doing this you cannot retract the app, it creates splunk integrity issues. Any other thougths?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've only just started my first steps in the area of HEC myself, so unfortunately I don't have too many other thoughts. But as far as I can recall from the latest experiments I witnessed, it worked just fine, to use a DS to push the splunk_httpinput to heavy forwarders.
Can you elaborate a bit on how you tried to push the config from the DS? Maybe we can help spot some mistake in how you went about that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue with using DS on a default splunk app is that if you remvoe the app from the DS, it also removes it from the splunk server, therefore causing integirty issues and messages. I have played some and there is a eay to enable to HEC via rest call and then you just need to deploy the tokens I guess... I am still experimenting myself and will let you know!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why would you remove it from the DS? What I understood is that you simply configure it on the DS, then copy/move it over to the deployment-apps folder for pushing to your HFs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The splunk_httpinput app can be distributed by your DS. See this part of the HEC documentation for instructions:
https://docs.splunk.com/Documentation/Splunk/latest/Data/ScaleHTTPEventCollector#Setting_up_distribu...
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
