Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where do I enable HTTP Event Collector (HEC) and create a new token in an environment with both search head and indexer clustering?

flee
Path Finder
‎08-09-2016 10:18 AM

Hello,

We have a Splunk Enterprise environment that has separate tiers that are clustered; Search Heads and Indexers. Where/which tier do I enable HEC on and create tokens? Search Heads or Indexers?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎08-09-2016 12:23 PM

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎08-09-2016 12:23 PM

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

Reply
Solved! Jump to solution

flee
Path Finder
‎09-21-2016 08:44 PM

jmmccollum, we haven't started our HEC effort yet. Hopefully, someone else can help answer your questions.

0 Karma
Reply
Solved! Jump to solution

flee
Path Finder
‎08-09-2016 02:54 PM

Thank you Jeremiah! The doc link helps as well.

0 Karma
Reply
Solved! Jump to solution

jmmccollum
Engager
‎09-21-2016 10:51 AM

What is the best way to manage tokens in a clustered indexer environment where we want to run HEC on the indexers? Can we run a deployment server just for token management while the cluster master manages everything else?

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...