Hec token with "Enable indexer acknowledgement" di...

charival · ‎01-08-2023

Hi Team,

Greetings !

I have setup a Splunk on-prem cluster, and data is feed via HEC endpoints.

Here is my HEC token config from inputs.conf

```

[http://IntegrationAckDisabledToken]
disabled = 0
index = integrationindex
indexes =
token = 7XXXX31-58b6-4cf1-XXXXX62d04f
useACK = 0
sourcetype = json_no_timestamp

```

And the I send some data with channel in the header via the /services/collector/raw

And when tried to get the ack using /services/collector/ack as below

curl -X POST "https://mysplunkindexersembhost.com:443/services/collector/ack" \

-H "Authorization: Splunk7XXXX31-58b6-4cf1-XXXXX62d04f" \

-H "X-Splunk-Request-Channel: 145f3699-fd99-42d0-8de9-28b06d937020" \

-H 'Cookie: AWSELB=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/,AWSELBCORS=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/"' \

-H "Content-Length: 12" \

-H "Connection: Keep-Alive" \

-d '{"acks":[1]}' -k

I expected HTTP -400 {"text":"ACK is disabled","code":14}

but received HTTP - 200 {"acks":{"1":true}}

I'm wondering why?

One side note is, I initially created the HEC token with useACK =1, via CLI.

Later disabled the ACK, via UI.

Any gurus in this community seen such behavior?

Thanks,

CG

Hec token with "Enable indexer acknowledgement" disabled , but the /ack returns success, but expected "ACK is disabled"?

configuration

using Splunk Enterprise

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!