Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HTTP Event Collector in a distributed environment with load balanced Heavy Forwarders

morphis72
Path Finder
‎02-20-2020 06:43 AM

I have a pair of heavy forwarders that is load balanced by a round robin DNS record.

I want to set them up as HTTP Event Collectors as described in the documentation:

https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/ScaleHTTPEventCollector

I have enabled the deployment server by setting: useDeploymentServer=1

When I configure my token is now writes to: /opt/splunk/etc/deployment-apps

When the token is created on the deployment server it looks like this:

[http://openshift]
disabled = 0
host = <myDeploymentServerName>
index = kubernetes_test
sourcetype = kubernetes
token = <mytoken>

If I push this out my host= will not match either of the two HF's the config is going to. Do I need to push out a separate config for each HF? Can I manually update the host name? Can I put multiple hosts on that line?

My second question is: I had to manually change the name of index because the HF's aren't part of the index cluster. Will that impact anything?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-20-2020 07:07 AM

  • Set it to $decideOnStartup. This will set host to hostname of executing server. This occurs on each splunkd startup.

    host = $decideOnStartup

  • If you don't set the host then it'll be <serverIP*>:<port>*, where serverIP server IP where heavy forwarder is installed and port used by HEC for receiving data.

  • If you change the index name then inputs.conf changes should be pushed from deployment server.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-20-2020 07:07 AM

  • Set it to $decideOnStartup. This will set host to hostname of executing server. This occurs on each splunkd startup.

    host = $decideOnStartup

  • If you don't set the host then it'll be <serverIP*>:<port>*, where serverIP server IP where heavy forwarder is installed and port used by HEC for receiving data.

  • If you change the index name then inputs.conf changes should be pushed from deployment server.

0 Karma
Reply
Solved! Jump to solution

morphis72
Path Finder
‎02-20-2020 07:47 AM

Can any of the fields be updated manually so long as they are pushed back out? Looks like your suggestion of $decideOnStartup is working for me.

But, lets say I wanted to change the [http://openshift] to {http://kubernetes] is that and the other things in the stanza okay to edit so long as the token ID is left the same?

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-20-2020 08:46 AM

Yes, you can edit and it's parameters keeping token ID same.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...