Environment:
Splunk version: 7.2.5
Distributed deployment with multiple Heavy Forwarders managed by Deploymentserver.
I wrote an app for the Heavy forwarders to handle the inputs:
-TA-HF-ListenToInput/local/inputs.conf
[http]
port = 8088
disabled = 0
enableSSL = 1
[splunktcp-ssl:9997]
disabled = 0
Rolling out this app has the following effect regarding HEC:
1. btool shows that the [http] config from this file is in runtime config
2. HEC is NOT enabled
3. In the GUI, HEC will show as not enabled, opening the settings shows that the "enabled" button is "clicked", it is however required to click it again and confirm, to get HEC enabled.
If I roll out the [http] part of this config using the splunk_httpinput app as deployment-app, HEC works just fine as desired.
Only way i now see to enable HEC on Heavy Forwarders via Deploymentserver is rolling out splunk_httpinput, however this has the downside, that i need to checkin the default folder of the app in version control without making any changes to it, because it will otherwise be deleted and Splunk will throw warnings for failed File integrity check as a result.
I am also not looking to handle HEC centrally from Deploymentserver, since it reduces the modularity of my deployment.
In my opinion, this behaviour is a bug solely based on the fact that btool check does not reflect state of the system, but before I raise it as a bug report, I want to ask whether anyone else has encountered similar issues and knows a better workaround than what I can come up with.
Finally it would probably be worth noting that my app has lower precedence than splunk_httpinput lexicographically in my case but 'local' should of course still take precedence over 'default'.
↧