I am in the process of working on a standard way to create new HEC tokens, and have them automatically configured on all Heavy Forwarders (I use a Deployment Server and, like you, my own custom app for Heavy Forwarder configs.)
So if I understand you correctly, you generate new tokens (disabled) on your deployment server using the web UI, and then you are copying the new stanza from inputs.conf in the splunk_httpinput app to your custom app and then enabling them there?
That is what I was thinking of doing, and was looking around to see if anyone else was doing this or had any other options when I came across this.
My only other option so far is to keep using the splunk_httpinput app, have it configured and deployed via the Deployment Server, but in this case the tokens would then also be enabled on the Deployment Server - which probably doesn't matter but Id rather not have it set up this way. I already have a Deployment Server in place, so can not set it up on one of the Heavy Forwarders as Splunk documentation recommends.
... View more