Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Clarify HEC Indexer Acknowledgement

ro_mc
Path Finder
‎11-11-2021 11:32 PM

The link below provides the following paragraph:

"...HEC responds with the status information to the client. The body of the reply contains the status of each of the requests that the client queried. A true status indicates that the event that corresponds to that ackID was replicated at the desired replication factor. A true status does not guarantee that the event was indexed, because the parsing pipeline might drop events that can't be parsed. A false status indicates that there is no status information for that ackID, or that the corresponding event has not been indexed."

Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/AboutHECIDXAck

This seems contradictory. How can the event for the ackID be replicated at the desired replication factor if it does not guarantee that the event was indexed? However, I noticed that earlier in the documentation, with indexer acknowledgement turned off, it states:

"By default, when HEC receives an event successfully, it immediately sends an HTTP Status 200 code to the sender of the data. However, this only means that the event data appears to be valid, and HEC sends the status message before the event data enters the processing pipeline."

Does the lack of guarantee only refer to when acknowledgement is NOT enabled? I.e. does an ackID value of "True" guarantee that the data has been indexed (and replicated) successfully?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2021 10:13 AM

When you have questions, comments, or are confused about Splunk documentation, the best action is to submit Feedback on the page.  The Splunk Docs team is excellent about responding to user feedback.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2021 10:13 AM

When you have questions, comments, or are confused about Splunk documentation, the best action is to submit Feedback on the page.  The Splunk Docs team is excellent about responding to user feedback.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...