Archive

How to enable HEC configuration through an app?

Builder

I would like to configure HEC via a deployed app, however setting disabled=0 does not seem to do the trick. I notice that there is an app called splunk_httpinput and when I enable HEC via the web UI it seems to enable it there. How can I get this running with just deploying an app dia the deployment server?
From etc/apps/splunk_httpinputs/local/inputs.conf:

[http]
disabled = 0
enableSSL = 0

I do the same in my app and it does not enable it, I can see the tokens but they are not enabled. Any guidance is much appreciated!

0 Karma

Builder

I have tried this to no avail, it enabelss HEC but the tokens do not show up. Plus doing this you cannot retract the app, it creates splunk integrity issues. Any other thougths?

0 Karma

Ultra Champion

I've only just started my first steps in the area of HEC myself, so unfortunately I don't have too many other thoughts. But as far as I can recall from the latest experiments I witnessed, it worked just fine, to use a DS to push the splunk_httpinput to heavy forwarders.

Can you elaborate a bit on how you tried to push the config from the DS? Maybe we can help spot some mistake in how you went about that.

0 Karma

Builder

The issue with using DS on a default splunk app is that if you remvoe the app from the DS, it also removes it from the splunk server, therefore causing integirty issues and messages. I have played some and there is a eay to enable to HEC via rest call and then you just need to deploy the tokens I guess... I am still experimenting myself and will let you know!

0 Karma

Ultra Champion

Why would you remove it from the DS? What I understood is that you simply configure it on the DS, then copy/move it over to the deployment-apps folder for pushing to your HFs.

0 Karma

Ultra Champion

The splunk_httpinput app can be distributed by your DS. See this part of the HEC documentation for instructions:
https://docs.splunk.com/Documentation/Splunk/latest/Data/ScaleHTTPEventCollector#Setting_up_distribu...

0 Karma