Solved: How can we find out which HTTP Event Collector tok... - Splunk Community

Getting Data In

We have numerous input stanzas like -

[http://<name>]
disabled = 0
token = xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxxx
index = <index name>
indexes = <index name>
queueSize = 100MB
useACK = 0
sourcetype = json

As time passes by, we have more and more stale connections. Can we find out which tokens are stale and not being used?

1 Solution

Solution

Hi,

You can check which HEC token is in use in _introspection Index with below query.

index=_introspection host=YOUR_HEC_HOST  sourcetype=http_event_collector_metrics data.token_name=*
| rename data.* as *
| table host, component, token_name, num_*

If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.

View solution in original post

Solution

Hi,

You can check which HEC token is in use in _introspection Index with below query.

index=_introspection host=YOUR_HEC_HOST  sourcetype=http_event_collector_metrics data.token_name=*
| rename data.* as *
| table host, component, token_name, num_*

If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.

Gorgeous @ harsmarvania57.

how can we pull same information using rest API call?

Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...