How to forward events coming from HTTP event colle...

lpolo · ‎08-08-2016

The HTTP event collector is working fine. I need to forward the http events to multiple Splunk indexers.

How should the configs be set up?
Could you provide an example?

Thanks,
Lp

cxj · ‎07-13-2017

I'm looking to setup a VIP for this, but when using port 8089 as the VIP Health Check it keeps showing as down. Has anyone configured a VIP for the HEC?

sjohnson_splunk · ‎08-08-2016

You could be more explicit in describing what you are trying to do.

You could create a DNS alias for all your indexers and forward to the DNS name.

You could also create a VIP using a load-balancer and forward to the VIP.

Finally if you just want the http events balanced among your indexers, you could set up a heavy forwarder, send all the events to it and then have it load balance it's ouput (via outputs.conf) to all indexers.

Pick one.

somesoni2 · ‎08-08-2016

My money will be one last option (using HF and Splunk's LB to send data to multiple indexers)

How to forward events coming from HTTP event collector to multiple indexers?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation