Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Universal / Heavy Forward Vs Http Event Collector

nks
New Member
‎06-12-2017 02:42 AM

hi,
My requirement is to push a continuous stream of data into Splunk for search and reporting. Data will be provided to me in form of CSV files by a batch job.
these CSV files will be placed in a folder as input and once i am done inserting them into Splunk, these files needs to be deleted from folder for new files to come in.

I am wondering which route should i pick, namely :- A) setup Universal or Heavy Forwarders. They will push the data from CSV to Splunk.. Or B), write my own custom java code to push data from CSV files to HEC endpoints.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎06-12-2017 04:48 AM

If you installed a Universal Forwarder and set the files up as a batch input, as long as you have your output configured and have set your timestamping and whatnot right, you are done.

I mean, sure you COULD write custom java code, but why?

Now, if it's REALLY high volume (by that, I mean hundreds of GB/day or more, definitely unlikely for this to be a problem even at dozens of GB/day), HEC may be beneficial.

In the docs I linked, ignore the warnings about doing it only for large uploads of historical data, and also ignore the part about how it works in Splunk Web. They don't matter.

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎06-12-2017 04:48 AM

If you installed a Universal Forwarder and set the files up as a batch input, as long as you have your output configured and have set your timestamping and whatnot right, you are done.

I mean, sure you COULD write custom java code, but why?

Now, if it's REALLY high volume (by that, I mean hundreds of GB/day or more, definitely unlikely for this to be a problem even at dozens of GB/day), HEC may be beneficial.

In the docs I linked, ignore the warnings about doing it only for large uploads of historical data, and also ignore the part about how it works in Splunk Web. They don't matter.

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎07-16-2017 11:44 AM

nks,

If this resolved your issue, could you please mark it Accepted?

If it did not, please post back with more information or what's not working right so we can help finish this up!

Happy Splunking,
Rich

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...