Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk HEC on heavy forwarder but limiting to indexes

jcrosby21
Path Finder
‎06-10-2021 08:47 AM

I am sending information to splunk via an HTTP Event collector and specifying the index in the body of the HTTP POST.


I have an HTTP Event collector on a heavy forwarder per this documentation:
https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/ScaleHTTPEventCollector

However, I'd like to be able to define a token to a limited set of indexes per this documentation.  So the consumer can supply an index but cannot supply ANY index in their payload.  This appears to be the "indexes" property:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2104/Data/UseHECusingconffiles

When I use the GUI to create a token I only see indexes on the heavy forwarder to limit to, it does not show me the indexes actually on my clustered indexers.  When I manually edit the configuration for a token in the .conf file to have the index I want to limit to I receive an "Incorrect Index" error.

Is it possible to have my HEC on a heavy forwarder but limit a token to indexes defined on my indexer cluster?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎06-10-2021 09:16 AM

We have a similar setup and it works completely fine. Indexes are defined in Indexer cluster but not defined in heavy forwarder, and receiving data to those indexes using HEC(configured on HF).  Can you share the error you are getting?

View solution in original post

Reply
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎06-10-2021 09:16 AM

We have a similar setup and it works completely fine. Indexes are defined in Indexer cluster but not defined in heavy forwarder, and receiving data to those indexes using HEC(configured on HF).  Can you share the error you are getting?

Reply
Solved! Jump to solution

jcrosby21
Path Finder
‎06-10-2021 09:59 AM
and after writing up a whole thing laying out all the pieces I decided to reboot my forwarder just in case and now it works for me.
 
It would appear that while SOME things get picked up without rebooting services when working with the HEC some things probably need splunk to restart.
 
Thanks for the validation!
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...