Getting Data In

How do I create the same HTTP event collector token for multiple indexers?

Path Finder

I have three stand alone indexers in a round robin and want them to accept HTTP events via the HTTP Event Collector. How do I generate a token with the same value on all three?

1 Solution

Splunk Employee
Splunk Employee

Hi @ppablo.

The recommended way to do this is to use Deployment Server. We have documentation which will be shortly forthcoming explaining how to do this.

The way it works is you have your indexers as clients of Event Collector. HTTP Event Collector has a global setting that you will configure on the deployment server "Use Deployment Server". In etc/apps/splunk_httpinput/local/inputs.conf it is the "useDeplyomentServer" setting under the [http] stanza. Once you set this, the collector will write all of it's configuration to the etc/deployment_apps/splunk_httpinput folder. Any time you use the UI or API to manage tokens, the deployment server will package up the updates so that the next time the clients (indexers) poll, they will get the latest tokens. The indexers will restart and load the new tokens in a staggered fashion.

There's a little bit of manual setup on the deployment server initially before you set the settings. First manually create the etc/deployment_apps/splunk_httpinput folder. Then copy the config from etc/apps/splunk_httpinput in.

As I mentioned, we'll have more docs coming in the next week or so that will show how to do this.

Glenn

View solution in original post

Splunk Employee
Splunk Employee

Hi folks

We just published our new documentation for distributed deployment here. We'd love your feedback!

Communicator

I can't find anything in here on how it would be deployed on clustered indexers. I would assume I'd use a similar configuration pushed from master-apps, but it would be a good thing to cover in the docs!

0 Karma

Builder

i have the same question actually - is it the same method using cluster master ?

0 Karma

Path Finder

Love it. Great doc!

0 Karma

Splunk Employee
Splunk Employee

Hi @ppablo.

The recommended way to do this is to use Deployment Server. We have documentation which will be shortly forthcoming explaining how to do this.

The way it works is you have your indexers as clients of Event Collector. HTTP Event Collector has a global setting that you will configure on the deployment server "Use Deployment Server". In etc/apps/splunk_httpinput/local/inputs.conf it is the "useDeplyomentServer" setting under the [http] stanza. Once you set this, the collector will write all of it's configuration to the etc/deployment_apps/splunk_httpinput folder. Any time you use the UI or API to manage tokens, the deployment server will package up the updates so that the next time the clients (indexers) poll, they will get the latest tokens. The indexers will restart and load the new tokens in a staggered fashion.

There's a little bit of manual setup on the deployment server initially before you set the settings. First manually create the etc/deployment_apps/splunk_httpinput folder. Then copy the config from etc/apps/splunk_httpinput in.

As I mentioned, we'll have more docs coming in the next week or so that will show how to do this.

Glenn

View solution in original post

Splunk Employee
Splunk Employee

Hi, Is there a way to do this without Deployment Server?

0 Karma

Path Finder

I have the same question - any way to do this without Deployment Server?

0 Karma

New Member

Has the documentation for this been released?

0 Karma

Splunk Employee
Splunk Employee

@samuel_stvictor, not yet. If you'd like to review it before we do, email me: gblock@splunk.com and I can send it to you.

Splunk Employee
Splunk Employee

Same for you @johnpof

0 Karma

Community Manager
Community Manager

Whoops sorry, I accidentally clicked accept for your answer, so sorry if you got a notification! I wasn't the one who asked the question, it was @johnpof. I'm the Answers content manager 🙂 I just edited the post for better visibility.

0 Karma

Contributor

does it have to be called splunk_httpinput?? IIRC deployment server / splunk .conf guides recommend following an app naming convention, for which that would be bucking the trend 😕

0 Karma

Splunk Employee
Splunk Employee

Yes it does. Under deployment-apps it should be splunk_httpinput.

0 Karma

Path Finder

Hah no worries I appreciate the reply! Look forward to seeing the docs, if you remember please fire them into this post.

Thanks!

0 Karma

Splunk Employee
Splunk Employee

@johnprof we're working on them now

0 Karma