Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Do we need to run an indexer rolling restart when getting new HEC data stream?

danielbb
Motivator
‎03-18-2025 09:17 AM

We are transitioning from getting the HEC data through HFs to getting it directly to the indexers and we are wondering if upon introducing a new data source are we forced to do an indexer rolling restart. 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-18-2025 10:10 AM

Since you're talking about rolling restart, I suppose you're using indexer cluster.

In this case adding an input (as opposed to removing one) might not require you to do a restart (but there are some cases when CM says it will do the restart anyway; that's one of pros for having a layer of HFs before your indexers)

As per your other question - you can manipulate several config items, including inputs, using REST API. But you shouldn't do that on a cluster since your config should be consistent across all nodes.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-18-2025 09:23 AM

Hi @danielbb 

If you are using config files to create your HEC tokens, which I suspect you will be! then Yes you will need to restart Splunk for it to allow the new HEC tokens to work.

For more info check out https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UseHECusingconffiles#:~:text=Restart%2....

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

danielbb
Motivator
‎03-18-2025 09:52 AM

Great @livehybrid, "If you are using config files to create your HEC tokens", what are my options on-prem to configure the HEC token?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-18-2025 10:13 AM

Hi @danielbb 

As @PickleRick has pointed out in his reply just now, as you have an indexer cluster you should be making changes by pushing your indexer config via a configuration bundles pushed from your Cluster Manager.

This means making changes in the manager-apps/yourOrg_inputs/local/inputs.conf file (or similar) and then pushing a bundle. Splunk will determine if a restart is needed however I think improvements have been made in more recent versions to reduce the number of restarts needed, but there is no guarantee if wont need a restart. When you click "Validate and Check Restart" it should tell you if a restart is required.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...