This SPL will generate a list of HEC token strings that you could copy pasta straight into an inputs.conf (although testing & validation is always wise).
Useful if you are trying to replicate Splunk Cloud HEC tokens to Heavy Forwarders.
Example output:
[<token title>]
description = <description, (if blank, title)>
disabled = 0
index = index_1
indexes = index_1,index_2
sourcetype = mysourcetype
token = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
useACK = true
allowQueryStringAuth = false
Links:
| | rest splunk_server=local /services/data/inputs/http | |
| | fillnull value="" title description disabled index indexes sourcetype token | |
| | fillnull value=0 useACK | |
| | eval token_string = "" | |
| | eval token_string = token_string + "[" + title + "]" + "|" | |
| | eval token_string = token_string + "description = " + if(description=="", replace(title, "http:\/\/", ""), description) + "|" | |
| | eval token_string = token_string + "disabled = " + disabled + "|" | |
| | eval token_string = token_string + "index = " + index + "|" | |
| | eval token_string = token_string + "indexes = " + mvjoin(indexes, ",") + "|" | |
| | eval token_string = token_string + "sourcetype = " + sourcetype + "|" | |
| | eval token_string = token_string + "token = " + token + "|" | |
| | eval token_string = token_string + "useACK = " + if(useACK=0,"false","true") + "|" | |
| | eval token_string = token_string + "allowQueryStringAuth = false" | |
| | rex mode=sed field=token_string "s/\|/\n/g" | |
| | table title token_string |