- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Where do I enable HTTP Event Collector (HEC) and c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We have a Splunk Enterprise environment that has separate tiers that are clustered; Search Heads and Indexers. Where/which tier do I enable HEC on and create tokens? Search Heads or Indexers?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are several deployment strategies outlined in the docs:
http://dev.splunk.com/view/event-collector/SP-CAAAE73
If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.
You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.
If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jmmccollum, these following Splunk answers might help you:
https://answers.splunk.com/answers/685621/hec-and-indexer-clustering.html
https://answers.splunk.com/answers/734827/how-to-deploy-hec-and-token-to-indexers-in-a-clust-1.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are several deployment strategies outlined in the docs:
http://dev.splunk.com/view/event-collector/SP-CAAAE73
If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.
You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.
If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jmmccollum, we haven't started our HEC effort yet. Hopefully, someone else can help answer your questions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Jeremiah! The doc link helps as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the best way to manage tokens in a clustered indexer environment where we want to run HEC on the indexers? Can we run a deployment server just for token management while the cluster master manages everything else?
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
