Getting Data In

HTTP Event Collector in a distributed environment with load balanced Heavy Forwarders

Path Finder

I have a pair of heavy forwarders that is load balanced by a round robin DNS record.

I want to set them up as HTTP Event Collectors as described in the documentation:

I have enabled the deployment server by setting: useDeploymentServer=1

When I configure my token is now writes to: /opt/splunk/etc/deployment-apps

When the token is created on the deployment server it looks like this:

disabled = 0
host = <myDeploymentServerName>
index = kubernetes_test
sourcetype = kubernetes
token = <mytoken>

If I push this out my host= will not match either of the two HF's the config is going to. Do I need to push out a separate config for each HF? Can I manually update the host name? Can I put multiple hosts on that line?

My second question is: I had to manually change the name of index because the HF's aren't part of the index cluster. Will that impact anything?

0 Karma
1 Solution

  • Set it to $decideOnStartup. This will set host to hostname of executing server. This occurs on each splunkd startup.

    host = $decideOnStartup
  • If you don't set the host then it'll be <serverIP*>:<port>*, where serverIP server IP where heavy forwarder is installed and port used by HEC for receiving data.

  • If you change the index name then inputs.conf changes should be pushed from deployment server.

View solution in original post

0 Karma

  • Set it to $decideOnStartup. This will set host to hostname of executing server. This occurs on each splunkd startup.

    host = $decideOnStartup
  • If you don't set the host then it'll be <serverIP*>:<port>*, where serverIP server IP where heavy forwarder is installed and port used by HEC for receiving data.

  • If you change the index name then inputs.conf changes should be pushed from deployment server.

0 Karma

Path Finder

Can any of the fields be updated manually so long as they are pushed back out? Looks like your suggestion of $decideOnStartup is working for me.

But, lets say I wanted to change the [http://openshift] to {http://kubernetes] is that and the other things in the stanza okay to edit so long as the token ID is left the same?

0 Karma


Yes, you can edit and it's parameters keeping token ID same.

0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...