Enable HTTP Event Collector distributed deployment (from management console or cluster master)

[outcoldman]

HTTP Event Collector can be configured as deployment server, will be nice to configure it on one of the instances, so you can create tokens via UI:

https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Inputsconf#http:_.28HTTP_Event_Collector.29

useDeploymentServer = <boolean>
* Whether or not the HTTP event collector input should write its
  configuration to a deployment server repository.
* When you enable this setting, the input writes its
  configuration to the directory that you specify with the
  'repositoryLocation' setting in the serverclass.conf file.
* You must copy the full contents of the splunk_httpinput app directory
  to this directory for the configuration to work.
* When enabled, only the tokens defined in the splunk_httpinput app in this
  repository are viewable and editable through the API and Splunk Web.
* When disabled, the input writes its configuration to
  $SPLUNK_HOME/etc/apps by default.
* Default: 0 (disabled)

I remember it was a little bit tricky to implement, as you need to deploy the application on the CM, and after that deploy it to the indexers, but I am sure we have done it, and sure somebody remembers how :D

[outcoldman]

Also, it is pretty weird, that currently HEC is configured directly on indexers, without master-apps from cluster-master. So it is hard to keep all the configurations in sync.

[pogdin]

I think we would need to create a Deployment Server CRD for this. We have that in the backlog. Also, wouldn't the DS have to push to master-apps first to distribute to the index cluster? Doable but requires tiered DS setup. The HEC being configured on the indexers ootb I believe comes as part of the default container config.