fix(CSPL-4617): preserve custom httpinput configs set via splunk.conf#904
Open
vivekr-splunk wants to merge 2 commits into
Open
fix(CSPL-4617): preserve custom httpinput configs set via splunk.conf#904vivekr-splunk wants to merge 2 commits into
vivekr-splunk wants to merge 2 commits into
Conversation
…httpinput
The 'Setup global HEC' task ran unconditionally and always POSTed to
/services/data/inputs/http/http, overwriting enableSSL (and any other
global HEC settings) even when the caller only set HEC config via
splunk.conf. That config map path writes inputs.conf on disk before Splunk
starts, but the REST call after startup would silently reset enableSSL to 0
and ignore httpEventCollectorWithAckEnabled entirely.
Fix: introduce a 'Build global HEC body' set_fact that only fires when at
least one of splunk.hec.{enable,ssl,port,cert} or the deprecated hec_*
variables is explicitly supplied. Guard the REST POST behind
`when: hec_global_body is defined`. When only splunk.conf is used, neither
task runs and the on-disk inputs.conf values are preserved.
enableSSL is now only included in the request body when splunk.hec.ssl is
explicitly set, preventing the implicit default of 0 from overriding a
value written via splunk.conf.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
When a config map is updated and pods are rolled, keys removed from the config map were not removed from the on-disk .conf file because ini_file with state=present only adds/updates — it never deletes stanzas or keys. This caused old remotequeue (and other) stanza values to persist across pod restarts even after the config map was changed. Fix: add a task in set_config_file.yml that deletes the target conf file before writing, so each pod start applies a clean state that exactly matches the current config map. The removal is guarded by `conf_stanzas | length > 0` to avoid removing files written by other tasks when the config map entry has no content stanzas. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
michaellee-splunk
approved these changes
May 7, 2026
caiicaii
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bug 1 — HEC REST overwrites splunk.conf values: The
Setup global HECtask inset_as_hec_receiver.ymlran unconditionally and always POSTed to/services/data/inputs/http/http, silently overwritingenableSSLand other global HEC settings (e.g.httpEventCollectorWithAckEnabled) even when the caller only set HEC config viasplunk.conf. Fixed by guarding the REST call behind aset_factthat only fires whensplunk.hec.*or deprecatedhec_*vars are explicitly supplied.enableSSLis now only included in the body whensplunk.hec.sslis explicitly set.Bug 2 — Stale conf file keys persist across pod restarts: When a config map is updated and pods are rolled, keys removed from the config map were not removed from the on-disk
.conffile becauseini_filewithstate: presentonly adds/updates — it never deletes stanzas or keys. This caused oldremotequeue(and other) stanza values to persist. Fixed by deleting the target conf file before writing, so each pod start applies a clean state matching the current config map exactly.Files changed
roles/splunk_common/tasks/set_as_hec_receiver.yml— conditionalset_factfor HEC body; REST POST guarded bywhen: hec_global_body is definedroles/splunk_common/tasks/set_config_file.yml— delete conf file before writing stanzas to ensure config map is the source of truthTest plan
splunk.confsettingenableSSL: "0"andhttpEventCollectorWithAckEnabled: "true"insplunk_httpinput/local/inputs.conf— verify values survive ansible run (Setup global HEC task should be skipped)splunk.hec.ssl: true— verifyenableSSLis correctly sent to REST endpoint.conffile on disksplunk.hec.enable: true+splunk.confhttpinput settings — verify both coexist correctlyFixes: CSPL-4617
🤖 Generated with Claude Code