Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is there a way to configure HEC to receive both HTTP and HTTPS inputs

mettomm
Explorer
‎02-22-2022 06:21 AM

Hi there all.
I am in a bit of a catch 22.  I have a process that cannot send data over HTTPS data because the HEC is using a self-signed certificate and the process I am using will not allow that.  However, I cannot send HTTP because the HEC is set for HTTPS input and so is getting rejected by the Splunk HEC.

Is there a way to have the HEC collect BOTH HTTP and HTTPS and set the requirement based on the input?

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mettomm
Explorer
‎02-28-2022 04:55 AM

Thanks for the information and the confirmation.  

We are looking at a second Heavy Forwarder with HEC set to receive HTTP.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mettomm
Explorer
‎02-28-2022 04:55 AM

Thanks for the information and the confirmation.  

We are looking at a second Heavy Forwarder with HEC set to receive HTTP.

 

0 Karma
Reply
Solved! Jump to solution

mettomm
Explorer
‎02-22-2022 06:52 AM

Thanks.
That was my thoughts as well.  However, I  know that there are ways to "tweak" inputs in Splunk and was just wanting to make sure that there was no other way to accomplish this.  

I will let this question set for a few days and see if there are other thoughts.

Thanks

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-22-2022 07:00 AM

At least some LBs (like F5) can listen both http and https and do a redirect to wanted port. That way you can use both on same address before real HEC input and use only one protocol between LB/VIP and HEC-listener(s).

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-22-2022 06:34 AM

Splunk HEC is enabled per instance and it can either be HTTP or HTTPS. Having a separate Heavy Fwd for HTTP and HTTS would help here.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...