Hi Team,
Greetings !
I have setup a Splunk on-prem cluster, and data is feed via HEC endpoints.
Here is my HEC token config from inputs.conf
```
[http://IntegrationAckDisabledToken] disabled = 0 index = integrationindex indexes = token = 7XXXX31-58b6-4cf1-XXXXX62d04f useACK = 0 sourcetype = json_no_timestamp
```
And the I send some data with channel in the header via the /services/collector/raw
And when tried to get the ack using /services/collector/ack as below
curl -X POST "https://mysplunkindexersembhost.com:443/services/collector/ack" \
-H "Authorization: Splunk7XXXX31-58b6-4cf1-XXXXX62d04f" \
-H "X-Splunk-Request-Channel: 145f3699-fd99-42d0-8de9-28b06d937020" \
-H 'Cookie: AWSELB=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/,AWSELBCORS=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/"' \
-H "Content-Length: 12" \
-H "Connection: Keep-Alive" \
-d '{"acks":[1]}' -k
I expected HTTP -400 {"text":"ACK is disabled","code":14}
but received HTTP - 200 {"acks":{"1":true}}
I'm wondering why?
One side note is, I initially created the HEC token with useACK =1, via CLI.
Later disabled the ACK, via UI.
Any gurus in this community seen such behavior?
Thanks,
CG
... View more