Solved: Newbie question: Push changes from UI to Indexers

ssdarkside2 · ‎09-15-2021

I used Azure/Splunk Enterprise deployment to set up Splunk on my Azure instance.

I then did this:

Settings > Show All Settings
Create an index via Settings > Indexes (Type: Events, ensured it is enabled)
Create an HTTP Event Collector via Settings > Data Inputs > HTTP Event Collector
Attempt to run a curl to the hec Public IP Address Azure Resource that was created

I get:

{"text":"Invalid token","code":4}

Based on what I was reading, I need to push the change out to the Indexers.

So here's my questions:

Can I do that through the UI?
Do I need to update each of the indexers manually?
Is there an alternative location for setting this up I am missing?

Thanks for helping a newbie!

richgalloway · ‎09-15-2021

When you set up HEC on the search head, Splunk added a stanza to inputs.conf for you. Copy that stanza to indexes.conf in an app and install that app on your indexers (use the Cluster Manager if you have one). All indexers should then have the same HEC settings.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-15-2021

When you set up HEC on the search head, Splunk added a stanza to inputs.conf for you. Copy that stanza to indexes.conf in an app and install that app on your indexers (use the Cluster Manager if you have one). All indexers should then have the same HEC settings.

---
If this reply helps you, Karma would be appreciated.

Newbie question: Push changes from UI to Indexers

HTTP Event Collector

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!