Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Do we need to run an indexer rolling restart when getting new HEC data stream?

danielbb
Motivator
‎03-18-2025 09:17 AM

We are transitioning from getting the HEC data through HFs to getting it directly to the indexers and we are wondering if upon introducing a new data source are we forced to do an indexer rolling restart. 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-18-2025 10:10 AM

Since you're talking about rolling restart, I suppose you're using indexer cluster.

In this case adding an input (as opposed to removing one) might not require you to do a restart (but there are some cases when CM says it will do the restart anyway; that's one of pros for having a layer of HFs before your indexers)

As per your other question - you can manipulate several config items, including inputs, using REST API. But you shouldn't do that on a cluster since your config should be consistent across all nodes.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-18-2025 09:23 AM

Hi @danielbb 

If you are using config files to create your HEC tokens, which I suspect you will be! then Yes you will need to restart Splunk for it to allow the new HEC tokens to work.

For more info check out https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UseHECusingconffiles#:~:text=Restart%2....

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

danielbb
Motivator
‎03-18-2025 09:52 AM

Great @livehybrid, "If you are using config files to create your HEC tokens", what are my options on-prem to configure the HEC token?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-18-2025 10:13 AM

Hi @danielbb 

As @PickleRick has pointed out in his reply just now, as you have an indexer cluster you should be making changes by pushing your indexer config via a configuration bundles pushed from your Cluster Manager.

This means making changes in the manager-apps/yourOrg_inputs/local/inputs.conf file (or similar) and then pushing a bundle. Splunk will determine if a restart is needed however I think improvements have been made in more recent versions to reduce the number of restarts needed, but there is no guarantee if wont need a restart. When you click "Validate and Check Restart" it should tell you if a restart is required.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...