Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where do I enable HTTP Event Collector (HEC) and create a new token in an environment with both search head and indexer clustering?

flee
Path Finder
‎08-09-2016 10:18 AM

Hello,

We have a Splunk Enterprise environment that has separate tiers that are clustered; Search Heads and Indexers. Where/which tier do I enable HEC on and create tokens? Search Heads or Indexers?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎08-09-2016 12:23 PM

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎08-09-2016 12:23 PM

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

Reply
Solved! Jump to solution

flee
Path Finder
‎09-21-2016 08:44 PM

jmmccollum, we haven't started our HEC effort yet. Hopefully, someone else can help answer your questions.

0 Karma
Reply
Solved! Jump to solution

flee
Path Finder
‎08-09-2016 02:54 PM

Thank you Jeremiah! The doc link helps as well.

0 Karma
Reply
Solved! Jump to solution

jmmccollum
Engager
‎09-21-2016 10:51 AM

What is the best way to manage tokens in a clustered indexer environment where we want to run HEC on the indexers? Can we run a deployment server just for token management while the cluster master manages everything else?

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...