I would like to configure HEC via a deployed app, however setting disabled=0 does not seem to do the trick. I notice that there is an app called splunk_httpinput and when I enable HEC via the web UI it seems to enable it there. How can I get this running with just deploying an app dia the deployment server?
[http] disabled = 0 enableSSL = 0
I do the same in my app and it does not enable it, I can see the tokens but they are not enabled. Any guidance is much appreciated!
I've only just started my first steps in the area of HEC myself, so unfortunately I don't have too many other thoughts. But as far as I can recall from the latest experiments I witnessed, it worked just fine, to use a DS to push the splunk_httpinput to heavy forwarders.
Can you elaborate a bit on how you tried to push the config from the DS? Maybe we can help spot some mistake in how you went about that.
The issue with using DS on a default splunk app is that if you remvoe the app from the DS, it also removes it from the splunk server, therefore causing integirty issues and messages. I have played some and there is a eay to enable to HEC via rest call and then you just need to deploy the tokens I guess... I am still experimenting myself and will let you know!
The splunk_httpinput app can be distributed by your DS. See this part of the HEC documentation for instructions: