Hi Giuseppe Thank you for your quick response. Unfortunately, customers own the hosts installed the splunk forwarders and their own config not only sit under /system/local, but also be found under /etc/apps/SplunkUniversialForwarder/local as well. Pushing an app with script may help. It needs POC. For the HEC/network input, for example, once customer has the token or port they can specify the index name and sourcetype name in the curl command before sending to endpoint, they do not have the permission to modify it on SH or IDX. Could you please advise further, thanks.
... View more