Hi all, I can't seem to generate a HEC token.
Help is appreciated
Set App Context to "splunk_httpinput" app in Input Settings.
If you use search app then updates will be written to:
C:\Program Files\Splunk\etc\apps\search\local\inputs.conf
The account that splunk is running as, does it have rights in that denied directory? Also, to test, have you tried creating this with an admin account to check it's not a weird permissions problem?
The account does have full access to the directory. I am also creating the token with an admin account.
I'm looking at two conf files for this but there doesn't seem to be permission issues
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf
C:\Program Files\Splunk\etc\deployment-apps\splunk_httpinput\local\inputs.conf
Splunk version?
anything more in splunkd.log?