Getting Data In

Any idea why I cam getting global config errors in my HEC config?



I have the following inputs.conf on a clean install of Splunk. But when I restart the instance I get a message that says "All the tokens are currently disabled. They can be enabled in the Global Settings." What config am I missing here?

# inputs.conf
  disabled = 0
  index = pcf
  indexes = pcf
  token = aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa

  disabled = 0
Tags (3)
0 Karma


did you create that inputs.conf manually? if so, in what directory? my guess is that your disabled=0 setting is in conflict with a disabled=1 somewhere else...and losing.

This could help you track it down, but I think HEC settings may get a little convoluted.

/opt/splunk/bin/splunk btool inputs list http --debug | grep disabled

It might be worth putting your inputs.conf in /opt/splunk/etc/apps/splunk_http/local ... or maybe at least enabling the http stanza there?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...