Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where do I enable HTTP Event Collector (HEC) and create a new token in an environment with both search head and indexer clustering?

flee
Path Finder
‎08-09-2016 10:18 AM

Hello,

We have a Splunk Enterprise environment that has separate tiers that are clustered; Search Heads and Indexers. Where/which tier do I enable HEC on and create tokens? Search Heads or Indexers?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎08-09-2016 12:23 PM

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎08-09-2016 12:23 PM

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

Reply
Solved! Jump to solution

flee
Path Finder
‎09-21-2016 08:44 PM

jmmccollum, we haven't started our HEC effort yet. Hopefully, someone else can help answer your questions.

0 Karma
Reply
Solved! Jump to solution

flee
Path Finder
‎08-09-2016 02:54 PM

Thank you Jeremiah! The doc link helps as well.

0 Karma
Reply
Solved! Jump to solution

jmmccollum
Engager
‎09-21-2016 10:51 AM

What is the best way to manage tokens in a clustered indexer environment where we want to run HEC on the indexers? Can we run a deployment server just for token management while the cluster master manages everything else?

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...