Hi Gurus,  Greetings. Please advise whether Splunk HEC endpoint can ingest proto buff msgs? Parse the pb message(using configured schema) and convert it into format that is compatible with index and search heads. If already there is app for it, please point me to it. If not please share the app sdk doc, that let me to add custom logic before indexing, if applicable. Thanks in advance! ... View more

Hi, Greetings I'm trying to add a search heads to an existing cluster by updating the server.conf file. To be more specific I'm adding three search head. One search head added successfully, but when I repeat the same steps in other two search heads. It doesn't joins the cluster. I see the below is the sout when Splunk is restarted. Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _internal _introspection _telemetry _thefishbucket history main summary Done Bypassing local license checks since this instance is configured with a remote license master. Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunk/splunk-7.1.1-8f0ead9ec3db-linux-2.6-x86_64-manifest' All installed files intact. Done Checking replication_port port [8090]: open All preliminary checks passed. Starting splunk server daemon (splunkd)... Done [ OK ] Waiting for web server at http://127.0.0.1:8000 to be available........... WARNING: web interface does not seem to be available! Please advise. Thanks, CG ... View more

Hi Team,  Greetings ! I have setup a Splunk on-prem cluster, and data is feed via HEC endpoints. Here is my HEC token config from inputs.conf ``` [http://IntegrationAckDisabledToken] disabled = 0 index = integrationindex indexes = token = 7XXXX31-58b6-4cf1-XXXXX62d04f useACK = 0 sourcetype = json_no_timestamp ``` And the I  send some data with channel in the header via the /services/collector/raw And when tried to get the ack using /services/collector/ack as below  curl -X POST "https://mysplunkindexersembhost.com:443/services/collector/ack" \ -H "Authorization: Splunk7XXXX31-58b6-4cf1-XXXXX62d04f" \ -H "X-Splunk-Request-Channel: 145f3699-fd99-42d0-8de9-28b06d937020" \ -H 'Cookie: AWSELB=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/,AWSELBCORS=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/"' \ -H "Content-Length: 12" \ -H "Connection: Keep-Alive" \ -d '{"acks":[1]}' -k   I expected HTTP -400 {"text":"ACK is disabled","code":14} but received HTTP - 200 {"acks":{"1":true}} I'm wondering why? One side note is, I initially created the HEC token with useACK =1, via CLI. Later disabled the ACK, via UI.  Any gurus in this community seen such behavior?  Thanks, CG ... View more