Any idea why I cam getting global config errors in...

daniel333 · ‎03-19-2018

All,

I have the following inputs.conf on a clean install of Splunk. But when I restart the instance I get a message that says "All the tokens are currently disabled. They can be enabled in the Global Settings." What config am I missing here?

# inputs.conf
[http://pcf]
  disabled = 0
  index = pcf
  indexes = pcf
  token = aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa

[http]
  disabled = 0

maciep · ‎03-19-2018

did you create that inputs.conf manually? if so, in what directory? my guess is that your disabled=0 setting is in conflict with a disabled=1 somewhere else...and losing.

This could help you track it down, but I think HEC settings may get a little convoluted.

/opt/splunk/bin/splunk btool inputs list http --debug | grep disabled

It might be worth putting your inputs.conf in /opt/splunk/etc/apps/splunk_http/local ... or maybe at least enabling the http stanza there?

Any idea why I cam getting global config errors in my HEC config?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Any idea why I cam getting global config errors in my HEC config?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem