Hello,
SPLUNK used to get data through HEC using 8088 port. But when we moved it to a new HF with new token it's now stopped getting data under new setting. Nothing has changed except the HF/server/token used. Any recommendation will be highly appreciated. Thank you so much.
Have you check that you have gotten anything else from that HF?
If it send internal logs to your indexers then you should check that you have enabled HEC on that HF with the same parameters than in old HF. Check also that it has valid certs if you are previously used HEC over https (you should). After that you should check individual HEC tokens that those are correctly set.
If/when you have MC up and running you could add both HF as an indexer to it and use then it's dashboards to check what happening there (Settings -> MC -> Indexing -> Inputs -> HEC ...)
Another way is to use "splunk btool inputs list --debug" on cmd line on those HFs and check what differences those have.
r. Ismo
Have you check that you have gotten anything else from that HF?
If it send internal logs to your indexers then you should check that you have enabled HEC on that HF with the same parameters than in old HF. Check also that it has valid certs if you are previously used HEC over https (you should). After that you should check individual HEC tokens that those are correctly set.
If/when you have MC up and running you could add both HF as an indexer to it and use then it's dashboards to check what happening there (Settings -> MC -> Indexing -> Inputs -> HEC ...)
Another way is to use "splunk btool inputs list --debug" on cmd line on those HFs and check what differences those have.
r. Ismo