- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- HTTP Event Collector in a distributed environment ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a pair of heavy forwarders that is load balanced by a round robin DNS record.
I want to set them up as HTTP Event Collectors as described in the documentation:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/ScaleHTTPEventCollector
I have enabled the deployment server by setting: useDeploymentServer=1
When I configure my token is now writes to: /opt/splunk/etc/deployment-apps
When the token is created on the deployment server it looks like this:
[http://openshift]
disabled = 0
host = <myDeploymentServerName>
index = kubernetes_test
sourcetype = kubernetes
token = <mytoken>
If I push this out my host= will not match either of the two HF's the config is going to. Do I need to push out a separate config for each HF? Can I manually update the host name? Can I put multiple hosts on that line?
My second question is: I had to manually change the name of index because the HF's aren't part of the index cluster. Will that impact anything?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Set it to $decideOnStartup. This will set host to hostname of executing server. This occurs on each splunkd startup.
host = $decideOnStartupIf you don't set the host then it'll be <serverIP*>:<port>*, where serverIP server IP where heavy forwarder is installed and port used by HEC for receiving data.
If you change the index name then inputs.conf changes should be pushed from deployment server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Set it to $decideOnStartup. This will set host to hostname of executing server. This occurs on each splunkd startup.
host = $decideOnStartupIf you don't set the host then it'll be <serverIP*>:<port>*, where serverIP server IP where heavy forwarder is installed and port used by HEC for receiving data.
If you change the index name then inputs.conf changes should be pushed from deployment server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can any of the fields be updated manually so long as they are pushed back out? Looks like your suggestion of $decideOnStartup is working for me.
But, lets say I wanted to change the [http://openshift] to {http://kubernetes] is that and the other things in the stanza okay to edit so long as the token ID is left the same?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can edit and it's parameters keeping token ID same.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
