Dashboards & Visualizations

Where do I enable HTTP Event Collector (HEC) and create a new token in an environment with both search head and indexer clustering?

flee
Path Finder

Hello,

We have a Splunk Enterprise environment that has separate tiers that are clustered; Search Heads and Indexers. Where/which tier do I enable HEC on and create tokens? Search Heads or Indexers?

Thank you.

0 Karma
1 Solution

Jeremiah
Motivator

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

View solution in original post

Jeremiah
Motivator

There are several deployment strategies outlined in the docs:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you have a large enough deployment where you have search and indexing tiers, you probably also want to split out the http event collection service onto one or more forwarders.

You can use a single forwarder to receive HEC events and generate keys. That's probably the simplest way to get started.

If you decide to scale out, you can add additional forwarders and use the deployment server to generate keys and automatically distribute them among the forwarders. Use a load balancer to distribute requests among your forwarders.

flee
Path Finder

jmmccollum, we haven't started our HEC effort yet. Hopefully, someone else can help answer your questions.

0 Karma

flee
Path Finder

Thank you Jeremiah! The doc link helps as well.

0 Karma

jmmccollum
Engager

What is the best way to manage tokens in a clustered indexer environment where we want to run HEC on the indexers? Can we run a deployment server just for token management while the cluster master manages everything else?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...