Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to list indexes which have data that is received by HEC and owners of indexes?

splunker09
Engager
‎10-03-2022 04:13 AM

I am working in clustered environment and getting data from HEC.  I want to list out indexes which are receiving HEC data and the data owners.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-03-2022 04:38 AM

Hi

can you describe what you are meaning with "data owners" (app where it is configured or business owner or ...)?

You could get configured HEC tokens/inputs from HEC node e.g.

| rest splunk_server=<your hec node> /services/data/inputs/http

Of course you should have added that node to peer your SH or just run above towards your HEC node(s) with curl.

That query shows allowed indexes and forced indexes for those tokens.

Another way to check which tokens are used is

https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-out-which-HTTP-Event-Collector-token...

r. Ismo 

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-03-2022 05:32 AM

Depends on what you want to really do. You can list the HEC tokens but the might be restricted to a single index, a number of indexes or not restricted at all. So you can check the config but to find for which indexes the HEC inputs really do receive data, you'd have to check metrics (and even then I'm not sure you'd find that).

And of course that won't tell you the business owners. That's up to you and your environment management processes.

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 01:24 AM

As @PickleRick said you must manage information about business owners by your other system. I propose to create inside your onboarding process to add and maintain that information. I have used so called log card which must fulfil when onboarding has done. One part of it is business owner, service managers etc. contact information.

You can see those indexes from input definitions, but there could be some other sources which are using those same indexes also. For that reason you really need a management system which where you have documented that kind of information.

Reply
Solved! Jump to solution

splunker09
Engager
‎10-03-2022 05:08 AM

Yes, I mean business owner

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎10-03-2022 04:38 AM

Hi

can you describe what you are meaning with "data owners" (app where it is configured or business owner or ...)?

You could get configured HEC tokens/inputs from HEC node e.g.

| rest splunk_server=<your hec node> /services/data/inputs/http

Of course you should have added that node to peer your SH or just run above towards your HEC node(s) with curl.

That query shows allowed indexes and forced indexes for those tokens.

Another way to check which tokens are used is

https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-out-which-HTTP-Event-Collector-token...

r. Ismo 

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...