Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure the load balancer to handle HEC data?

danielbb
Motivator
‎03-18-2025 08:31 AM

We are in a transition from sending the data through HFs to sending the data directly to the indexers and we wonder how to configure the load balancer to handle this HTTP data. My understanding is that HTTP is based on TCP and TCP is connection based and therefore we can lock the sender to a particular indexer which would lead to an uneven distribution of the load, any suggestions?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-18-2025 09:21 AM

Hi @danielbb 

Are you running your infra on-premise or using a cloud service such as AWS? If you are using AWS Firehose to send data to HEC then there are specific requirements for loadbalancing (See https://docs.splunk.com/Documentation/AddOns/released/Firehose/ConfigureanELB)

Also, if you are using indexer acknowledgement with HEC then you need to ensure that (similar to Firehose sources) that your loadbalancer does cookie-based session stickiness so that the client can connect to the same indexer to check the acknowledgement.

Other than that, I believe any modern HTTP Load balancing product should work well.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

danielbb
Motivator
‎03-18-2025 09:50 AM

Very interesting @livehybrid, how do I check whether indexer acknowledgment is in place?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-18-2025 10:17 AM

You can check this on your existing inputs, if you have acknowledgement enabled you'll have the useAck set to true in your inputs.conf stanzas such as below:

[http://answers]
disabled = 0
host = macdev
index = answers
token = bbe67d25-6eca-41c3-9046-e1e9b75bb571
useAck = true

 

useACK = <boolean>
* When set to "true", acknowledgment (ACK) is enabled. Events in a request
  are tracked until they are indexed. An events status (indexed or not) can be
  queried from the ACK endpoint with the ID for the request.
* When set to false, acknowledgment is not enabled.
* This setting can be set at the stanza level.
* Default: false

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...