Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HTTP Event Collector -- How to specify folder or path name to store logs on heavy forwarder before being sent to indexer?

siva_cg
Path Finder
‎10-20-2017 07:23 AM

Hi All,

Could you please help me with the query regarding collecting data using the HTTP Event Collector? I am trying to collect logs from F5 appliances using HEC method. The basic architecture will look like below:

F5 appliances ----> Load Balancer ----> Heavy Forwarder (where HEC will be configured) ----> Indexers

Now, my query exactly is, how to specify folder or path name to store logs on Heavy forwarder before being sent to Indexers? Any documentation or help is much appreciated.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

starcher
Influencer
‎10-20-2017 11:41 AM

HEC doesn't store files on disk. You should have the HF setup to receive HEC and have an appropriate outputs to point to your indexing layer.

http://dev.splunk.com/view/event-collector/SP-CAAAE6M

http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/UsetheHTTPEventCollector

View solution in original post

Reply
Solved! Jump to solution
Solution

starcher
Influencer
‎10-20-2017 11:41 AM

HEC doesn't store files on disk. You should have the HF setup to receive HEC and have an appropriate outputs to point to your indexing layer.

http://dev.splunk.com/view/event-collector/SP-CAAAE6M

http://docs.splunk.com/Documentation/Splunk/6.6.3/Data/UsetheHTTPEventCollector

Reply
Solved! Jump to solution

siva_cg
Path Finder
‎10-23-2017 03:17 AM

Hi @starcher,

Thank you for providing me the document links. So a typical configuration looks like as below:

in the splunk_httpinput app,
[http://F5_Analytics]
description = Token to get the logs from F5 iApp
disabled = 0
index = f5_ltm
sourcetype = f5_iapp_logs
token = xxxxxxxxxx
outoputgroup = f5

and use this outputgroup in outputs.conf of HF. Please correct me if I am wrong.

Thanks in advance.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎10-23-2017 03:51 AM

That's correct!

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

siva_cg
Path Finder
‎10-23-2017 03:55 AM

Thank you very much @nickhillscpl.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...