Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where do I enable HTTP Event Collector (HEC) and create a new token in an environment with both search head and indexer clustering?

flee
Path Finder
‎08-09-2016 10:18 AM

Hello,

We have a Splunk Enterprise environment that has separate tiers that are clustered; Search Heads and Indexers. Where/which tier do I enable HEC on and create tokens? Search Heads or Indexers?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎08-09-2016 12:23 PM

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎08-09-2016 12:23 PM

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

Reply
Solved! Jump to solution

flee
Path Finder
‎09-21-2016 08:44 PM

jmmccollum, we haven't started our HEC effort yet. Hopefully, someone else can help answer your questions.

0 Karma
Reply
Solved! Jump to solution

flee
Path Finder
‎08-09-2016 02:54 PM

Thank you Jeremiah! The doc link helps as well.

0 Karma
Reply
Solved! Jump to solution

jmmccollum
Engager
‎09-21-2016 10:51 AM

What is the best way to manage tokens in a clustered indexer environment where we want to run HEC on the indexers? Can we run a deployment server just for token management while the cluster master manages everything else?

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...