The recommended way to do this is to use Deployment Server. We have documentation which will be shortly forthcoming explaining how to do this.
The way it works is you have your indexers as clients of Event Collector. HTTP Event Collector has a global setting that you will configure on the deployment server "Use Deployment Server". In etc/apps/splunkhttpinput/local/inputs.conf it is the "useDeplyomentServer" setting under the [http] stanza. Once you set this, the collector will write all of it's configuration to the etc/deploymentapps/splunk_httpinput folder. Any time you use the UI or API to manage tokens, the deployment server will package up the updates so that the next time the clients (indexers) poll, they will get the latest tokens. The indexers will restart and load the new tokens in a staggered fashion.
There's a little bit of manual setup on the deployment server initially before you set the settings. First manually create the etc/deploymentapps/splunkhttpinput folder. Then copy the config from etc/apps/splunk_httpinput in.
As I mentioned, we'll have more docs coming in the next week or so that will show how to do this.
Whoops sorry, I accidentally clicked accept for your answer, so sorry if you got a notification! I wasn't the one who asked the question, it was @johnpof. I'm the Answers content manager 🙂 I just edited the post for better visibility.
Hah no worries I appreciate the reply! Look forward to seeing the docs, if you remember please fire them into this post.
does it have to be called
splunk_httpinput?? IIRC deployment server / splunk .conf guides recommend following an app naming convention, for which that would be bucking the trend 😕