I see similar behavior. I added an app that creates a new index, and defines HEC token and added the app to a fresh install (8.0.2) with no other changes. For me. the HEC is enabled (I can curl a request and see the data ingested to the new index). Btool shows the app's effect in the runtime config.
/opt/splunk/etc/apps/docker_hec_inputs/local/inputs.conf [http]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf ackIdleCleanup = true
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf allowSslCompression = true
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf allowSslRenegotiation = true
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf dedicatedIoThreads = 2
--> /opt/splunk/etc/apps/docker_hec_inputs/local/inputs.conf disabled = 0 <--
--> /opt/splunk/etc/apps/docker_hec_inputs/local/inputs.conf enableSSL = 0 <--
/opt/splunk/etc/system/local/inputs.conf host = splunktest
/opt/splunk/etc/system/default/inputs.conf index = default
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxSockets = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxThreads = 0
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf port = 8088
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf sslVersions = *,-ssl2
/opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf useDeploymentServer = 0
As far as I can tell it's a UI bug more than a issue with the config not taking effect. The UI only seems to remove the red ! warning and stop showing "disabled' tokens if the splunk_httpinput/local/inputs.conf file exists with a [http] stanza and disabled=0 exists.
... View more