Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create the same HTTP event collector token for multiple indexers?

johnpof
Path Finder
‎10-01-2015 12:08 PM

I have three stand alone indexers in a round robin and want them to accept HTTP events via the HTTP Event Collector. How do I generate a token with the same value on all three?

Reply
1 Solution
Solved! Jump to solution
Solution

gblock_splunk
Splunk Employee
Splunk Employee
‎10-01-2015 12:55 PM

Hi @ppablo.

The recommended way to do this is to use Deployment Server. We have documentation which will be shortly forthcoming explaining how to do this.

The way it works is you have your indexers as clients of Event Collector. HTTP Event Collector has a global setting that you will configure on the deployment server "Use Deployment Server". In etc/apps/splunk_httpinput/local/inputs.conf it is the "useDeplyomentServer" setting under the [http] stanza. Once you set this, the collector will write all of it's configuration to the etc/deployment_apps/splunk_httpinput folder. Any time you use the UI or API to manage tokens, the deployment server will package up the updates so that the next time the clients (indexers) poll, they will get the latest tokens. The indexers will restart and load the new tokens in a staggered fashion.

There's a little bit of manual setup on the deployment server initially before you set the settings. First manually create the etc/deployment_apps/splunk_httpinput folder. Then copy the config from etc/apps/splunk_httpinput in.

As I mentioned, we'll have more docs coming in the next week or so that will show how to do this.

Glenn

View solution in original post

Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎11-03-2015 06:01 PM

Hi folks

We just published our new documentation for distributed deployment here. We'd love your feedback!

Reply
Solved! Jump to solution

delink
Communicator
‎05-26-2017 06:03 AM

I can't find anything in here on how it would be deployed on clustered indexers. I would assume I'd use a similar configuration pushed from master-apps, but it would be a good thing to cover in the docs!

0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎08-01-2017 09:04 PM

i have the same question actually - is it the same method using cluster master ?

0 Karma
Reply
Solved! Jump to solution

aliakseidzianis
Path Finder
‎01-26-2017 08:51 PM

Love it. Great doc!

0 Karma
Reply
Solved! Jump to solution
Solution

gblock_splunk
Splunk Employee
Splunk Employee
‎10-01-2015 12:55 PM

Hi @ppablo.

The recommended way to do this is to use Deployment Server. We have documentation which will be shortly forthcoming explaining how to do this.

The way it works is you have your indexers as clients of Event Collector. HTTP Event Collector has a global setting that you will configure on the deployment server "Use Deployment Server". In etc/apps/splunk_httpinput/local/inputs.conf it is the "useDeplyomentServer" setting under the [http] stanza. Once you set this, the collector will write all of it's configuration to the etc/deployment_apps/splunk_httpinput folder. Any time you use the UI or API to manage tokens, the deployment server will package up the updates so that the next time the clients (indexers) poll, they will get the latest tokens. The indexers will restart and load the new tokens in a staggered fashion.

There's a little bit of manual setup on the deployment server initially before you set the settings. First manually create the etc/deployment_apps/splunk_httpinput folder. Then copy the config from etc/apps/splunk_httpinput in.

As I mentioned, we'll have more docs coming in the next week or so that will show how to do this.

Glenn

Reply
Solved! Jump to solution

ahmedn_splunk
Splunk Employee
Splunk Employee
‎07-30-2018 09:03 AM

Hi, Is there a way to do this without Deployment Server?

0 Karma
Reply
Solved! Jump to solution

sphadnis
Path Finder
‎04-08-2019 05:27 PM

I have the same question - any way to do this without Deployment Server?

0 Karma
Reply
Solved! Jump to solution

samuel_stvictor
New Member
‎10-20-2015 12:09 PM

Has the documentation for this been released?

0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎10-20-2015 12:15 PM

@samuel_stvictor, not yet. If you'd like to review it before we do, email me: gblock@splunk.com and I can send it to you.

Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎10-20-2015 12:15 PM

Same for you @johnpof

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-01-2015 01:33 PM

Whoops sorry, I accidentally clicked accept for your answer, so sorry if you got a notification! I wasn't the one who asked the question, it was @johnpof. I'm the Answers content manager 🙂 I just edited the post for better visibility.

0 Karma
Reply
Solved! Jump to solution

awurster
Contributor
‎10-14-2015 01:17 AM

does it have to be called splunk_httpinput?? IIRC deployment server / splunk .conf guides recommend following an app naming convention, for which that would be bucking the trend 😕

0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎10-20-2015 12:16 PM

Yes it does. Under deployment-apps it should be splunk_httpinput.

0 Karma
Reply
Solved! Jump to solution

johnpof
Path Finder
‎10-01-2015 01:36 PM

Hah no worries I appreciate the reply! Look forward to seeing the docs, if you remember please fire them into this post.

Thanks!

0 Karma
Reply
Solved! Jump to solution

gblock_splunk
Splunk Employee
Splunk Employee
‎10-01-2015 01:44 PM

@johnprof we're working on them now

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...