Getting Data In

How can we find out which HTTP Event Collector tokens are not being used?

Ultra Champion

We have numerous input stanzas like -

[http://<name>]
disabled = 0
token = xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxxx
index = <index name>
indexes = <index name>
queueSize = 100MB
useACK = 0
sourcetype = json

As time passes by, we have more and more stale connections. Can we find out which tokens are stale and not being used?

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi,

You can check which HEC token is in use in _introspection Index with below query.

index=_introspection host=YOUR_HEC_HOST  sourcetype=http_event_collector_metrics data.token_name=*
| rename data.* as *
| table host, component, token_name, num_*

If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.

View solution in original post

SplunkTrust
SplunkTrust

Hi,

You can check which HEC token is in use in _introspection Index with below query.

index=_introspection host=YOUR_HEC_HOST  sourcetype=http_event_collector_metrics data.token_name=*
| rename data.* as *
| table host, component, token_name, num_*

If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.

View solution in original post

Ultra Champion

Gorgeous @ harsmarvania57.

0 Karma

New Member

how can we pull same information using rest API call?

0 Karma