Getting Data In

Any idea why I cam getting global config errors in my HEC config?

daniel333
Builder

All,

I have the following inputs.conf on a clean install of Splunk. But when I restart the instance I get a message that says "All the tokens are currently disabled. They can be enabled in the Global Settings." What config am I missing here?

# inputs.conf
[http://pcf]
  disabled = 0
  index = pcf
  indexes = pcf
  token = aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa

[http]
  disabled = 0
Tags (3)
0 Karma

maciep
Champion

did you create that inputs.conf manually? if so, in what directory? my guess is that your disabled=0 setting is in conflict with a disabled=1 somewhere else...and losing.

This could help you track it down, but I think HEC settings may get a little convoluted.

/opt/splunk/bin/splunk btool inputs list http --debug | grep disabled

It might be worth putting your inputs.conf in /opt/splunk/etc/apps/splunk_http/local ... or maybe at least enabling the http stanza there?

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...