Getting Data In

How do I create the same HTTP event collector token for multiple indexers?

johnpof
Path Finder

I have three stand alone indexers in a round robin and want them to accept HTTP events via the HTTP Event Collector. How do I generate a token with the same value on all three?

1 Solution

gblock_splunk
Splunk Employee
Splunk Employee

Hi @ppablo.

The recommended way to do this is to use Deployment Server. We have documentation which will be shortly forthcoming explaining how to do this.

The way it works is you have your indexers as clients of Event Collector. HTTP Event Collector has a global setting that you will configure on the deployment server "Use Deployment Server". In etc/apps/splunk_httpinput/local/inputs.conf it is the "useDeplyomentServer" setting under the [http] stanza. Once you set this, the collector will write all of it's configuration to the etc/deployment_apps/splunk_httpinput folder. Any time you use the UI or API to manage tokens, the deployment server will package up the updates so that the next time the clients (indexers) poll, they will get the latest tokens. The indexers will restart and load the new tokens in a staggered fashion.

There's a little bit of manual setup on the deployment server initially before you set the settings. First manually create the etc/deployment_apps/splunk_httpinput folder. Then copy the config from etc/apps/splunk_httpinput in.

As I mentioned, we'll have more docs coming in the next week or so that will show how to do this.

Glenn

View solution in original post

gblock_splunk
Splunk Employee
Splunk Employee

Hi folks

We just published our new documentation for distributed deployment here. We'd love your feedback!

delink
Communicator

I can't find anything in here on how it would be deployed on clustered indexers. I would assume I'd use a similar configuration pushed from master-apps, but it would be a good thing to cover in the docs!

0 Karma

Esky73
Builder

i have the same question actually - is it the same method using cluster master ?

0 Karma

aliakseidzianis
Path Finder

Love it. Great doc!

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Hi @ppablo.

The recommended way to do this is to use Deployment Server. We have documentation which will be shortly forthcoming explaining how to do this.

The way it works is you have your indexers as clients of Event Collector. HTTP Event Collector has a global setting that you will configure on the deployment server "Use Deployment Server". In etc/apps/splunk_httpinput/local/inputs.conf it is the "useDeplyomentServer" setting under the [http] stanza. Once you set this, the collector will write all of it's configuration to the etc/deployment_apps/splunk_httpinput folder. Any time you use the UI or API to manage tokens, the deployment server will package up the updates so that the next time the clients (indexers) poll, they will get the latest tokens. The indexers will restart and load the new tokens in a staggered fashion.

There's a little bit of manual setup on the deployment server initially before you set the settings. First manually create the etc/deployment_apps/splunk_httpinput folder. Then copy the config from etc/apps/splunk_httpinput in.

As I mentioned, we'll have more docs coming in the next week or so that will show how to do this.

Glenn

ahmedn_splunk
Splunk Employee
Splunk Employee

Hi, Is there a way to do this without Deployment Server?

0 Karma

sphadnis
Path Finder

I have the same question - any way to do this without Deployment Server?

0 Karma

samuel_stvictor
New Member

Has the documentation for this been released?

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

@samuel_stvictor, not yet. If you'd like to review it before we do, email me: gblock@splunk.com and I can send it to you.

gblock_splunk
Splunk Employee
Splunk Employee

Same for you @johnpof

0 Karma

ppablo
Retired

Whoops sorry, I accidentally clicked accept for your answer, so sorry if you got a notification! I wasn't the one who asked the question, it was @johnpof. I'm the Answers content manager 🙂 I just edited the post for better visibility.

0 Karma

awurster
Contributor

does it have to be called splunk_httpinput?? IIRC deployment server / splunk .conf guides recommend following an app naming convention, for which that would be bucking the trend 😕

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Yes it does. Under deployment-apps it should be splunk_httpinput.

0 Karma

johnpof
Path Finder

Hah no worries I appreciate the reply! Look forward to seeing the docs, if you remember please fire them into this post.

Thanks!

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

@johnprof we're working on them now

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...