Solved: Re: How can we find out which HTTP Event Collector...

ddrillic · ‎01-18-2019

We have numerous input stanzas like -

[http://<name>]
disabled = 0
token = xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxxx
index = <index name>
indexes = <index name>
queueSize = 100MB
useACK = 0
sourcetype = json

As time passes by, we have more and more stale connections. Can we find out which tokens are stale and not being used?

harsmarvania57 · ‎01-18-2019

Hi,

You can check which HEC token is in use in _introspection Index with below query.

index=_introspection host=YOUR_HEC_HOST  sourcetype=http_event_collector_metrics data.token_name=*
| rename data.* as *
| table host, component, token_name, num_*

If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.

View solution in original post

harsmarvania57 · ‎01-18-2019

Hi,

You can check which HEC token is in use in _introspection Index with below query.

index=_introspection host=YOUR_HEC_HOST  sourcetype=http_event_collector_metrics data.token_name=*
| rename data.* as *
| table host, component, token_name, num_*

If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.

ddrillic · ‎01-26-2019

Gorgeous @ harsmarvania57.

sowmya_prasanna · ‎07-02-2019

how can we pull same information using rest API call?

How can we find out which HTTP Event Collector tokens are not being used?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!