Re: Splunk Connect 4 Syslog - IDM

sunaryot · ‎03-29-2021

Does anyone know if HEC endpoint can be configured directly onto the IDM so SC4S traffic can be sent to it? It is tailor made for Splunk Cloud but I have not read anything that says that in their documentation.

richgalloway · ‎03-29-2021

The SC4S team recommends traffic be sent directly to HEC inputs on the indexers.

---
If this reply helps you, Karma would be appreciated.

sunaryot · ‎03-29-2021

In our splunk cloud environment, we currently do not have any indexers deployed since we have an IDM and multiple HFs. It is strongly recommended that we send the traffic to the HEC endpoints configured directly on the indexers but would it work by configuring the HEC endpoint on Splunk Cloud?

richgalloway · ‎03-29-2021

If you have Splunk Cloud then you have indexers. Configuring HEC input on Splunk Cloud puts the input on the indexers.

---
If this reply helps you, Karma would be appreciated.

s2_splunk · ‎03-29-2021

If you have a recently provisioned SplunkCloud stack, you have a HEC address provisioned and enabled for you already.

Your target HEC URL should be

http-inputs-{yourstackname}.splunkcloud.com

You will find more documentation here.

You should be able to send HEC traffic directly to this VIP address. If this doesn't work, please open a case with Splunk support.

Splunk Connect 4 Syslog - IDM

installation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation