Getting Data In
Highlighted

HTTP Event Collector: Can I set up a farm of Splunk 6.3 forwarders and send them to to 6.1 indexers?

Champion

Hi,

I have customers interested in using the HTTP event collector, but I'm still running 6.1 indexers and search heads. Can I set up a farm of 6.3 forwarders and send them to 6.1 indexers?

0 Karma
Highlighted

Re: HTTP Event Collector: Can I set up a farm of Splunk 6.3 forwarders and send them to to 6.1 indexers?

Ultra Champion

http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

I'm not seeing anything that says that the functionality does not exist on [universal] forwarders but haven't tried. I'd say give it a try and see? You can run a curl command against it to see if it catches your http request.

0 Karma
Highlighted

Re: HTTP Event Collector: Can I set up a farm of Splunk 6.3 forwarders and send them to to 6.1 indexers?

Splunk Employee
Splunk Employee

Yes you can have 6.3 Event Collector instances which forward to 6.2. In the configuration of EC you can select an output group for it to forward to. The receiving indexers do not have to be 6.3.

As to the UF, it is not supported today, though it may work. Only HWF is supported from a forwarder perspective.

0 Karma
Highlighted

Re: HTTP Event Collector: Can I set up a farm of Splunk 6.3 forwarders and send them to to 6.1 indexers?

Splunk Employee
Splunk Employee

Hi folks

We've just added new documentation on distributed deployment. You can find it here.