All Apps and Add-ons

How to enable HEC configuration through an app?

brent_weaver
Builder

I would like to configure HEC via a deployed app, however setting disabled=0 does not seem to do the trick. I notice that there is an app called splunk_httpinput and when I enable HEC via the web UI it seems to enable it there. How can I get this running with just deploying an app dia the deployment server?
From etc/apps/splunk_httpinputs/local/inputs.conf:

[http]
disabled = 0
enableSSL = 0

I do the same in my app and it does not enable it, I can see the tokens but they are not enabled. Any guidance is much appreciated!

0 Karma

brent_weaver
Builder

I have tried this to no avail, it enabelss HEC but the tokens do not show up. Plus doing this you cannot retract the app, it creates splunk integrity issues. Any other thougths?

0 Karma

FrankVl
Ultra Champion

I've only just started my first steps in the area of HEC myself, so unfortunately I don't have too many other thoughts. But as far as I can recall from the latest experiments I witnessed, it worked just fine, to use a DS to push the splunk_httpinput to heavy forwarders.

Can you elaborate a bit on how you tried to push the config from the DS? Maybe we can help spot some mistake in how you went about that.

0 Karma

brent_weaver
Builder

The issue with using DS on a default splunk app is that if you remvoe the app from the DS, it also removes it from the splunk server, therefore causing integirty issues and messages. I have played some and there is a eay to enable to HEC via rest call and then you just need to deploy the tokens I guess... I am still experimenting myself and will let you know!

0 Karma

FrankVl
Ultra Champion

Why would you remove it from the DS? What I understood is that you simply configure it on the DS, then copy/move it over to the deployment-apps folder for pushing to your HFs.

0 Karma

FrankVl
Ultra Champion

The splunk_httpinput app can be distributed by your DS. See this part of the HEC documentation for instructions:
https://docs.splunk.com/Documentation/Splunk/latest/Data/ScaleHTTPEventCollector#Setting_up_distribu...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...