I haven't heard any user complain about the default metadata config.
I am wondering the splunk config, e.g. if you used a heavy forwarder for "Http Input" , you can not search the data on heavy forwarder, you have to go to search head or indexer.
To verify it, pls run
hec_host=<splunk-host>
hec_port=8088
hec_token=<splunk-token>
curl -k "https://${hec_host}:${hec_port}/services/collector/event" -H "Authorization: Splunk ${hec_token}" -d \
'{"host":"test-host","index":"jenkins_console","sourcetype":"json:jenkins","source":"logger://dummy","event":{"level":"INFO","log_source":"cmdline","message":"Test HEC"}}'
... View more