Solved: Sending data with HEC vs modular inputs vs raw por...

yvonnec · ‎07-09-2019

I'm trying to figure out the pros and cons of using each of these methods to send data to Splunk. Let's assume I have full control over the data, so I can send it in any format.

To the best of my understanding:
HEC: push data to Spunk via Splunk's REST API
Modular input: a script (?) that runs on the Splunk side, good for pulling data from external REST APIs
Open port: (https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Monitornetworkports) send arbitrary data over a raw port for Splunk to index, and the indexing can be configured on the Splunk end

What other considerations should I be keeping in mind when deciding between these approaches? Any limitations to be aware of?

Thanks!

starcher · ‎07-10-2019

Don't use network ports. you get no load balancing etc. HEC is HTTP post (web hook) meant to be web load balanced. Modular inputs usually you run on a heavy forwarder so you have to plan to have a backup of all inputs etc in case the box dies and you have to rebuild it.

View solution in original post

starcher · ‎07-10-2019

Don't use network ports. you get no load balancing etc. HEC is HTTP post (web hook) meant to be web load balanced. Modular inputs usually you run on a heavy forwarder so you have to plan to have a backup of all inputs etc in case the box dies and you have to rebuild it.

yvonnec · ‎07-10-2019

Thank you, this is helpful!

Sending data with HEC vs modular inputs vs raw port

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases