Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk HEC on heavy forwarder but limiting to indexes

jcrosby21
Path Finder
‎06-10-2021 08:47 AM

I am sending information to splunk via an HTTP Event collector and specifying the index in the body of the HTTP POST.


I have an HTTP Event collector on a heavy forwarder per this documentation:
https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/ScaleHTTPEventCollector

However, I'd like to be able to define a token to a limited set of indexes per this documentation.  So the consumer can supply an index but cannot supply ANY index in their payload.  This appears to be the "indexes" property:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2104/Data/UseHECusingconffiles

When I use the GUI to create a token I only see indexes on the heavy forwarder to limit to, it does not show me the indexes actually on my clustered indexers.  When I manually edit the configuration for a token in the .conf file to have the index I want to limit to I receive an "Incorrect Index" error.

Is it possible to have my HEC on a heavy forwarder but limit a token to indexes defined on my indexer cluster?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎06-10-2021 09:16 AM

We have a similar setup and it works completely fine. Indexes are defined in Indexer cluster but not defined in heavy forwarder, and receiving data to those indexes using HEC(configured on HF).  Can you share the error you are getting?

View solution in original post

Reply
Solved! Jump to solution
Solution

rupkumar4sec
Path Finder
‎06-10-2021 09:16 AM

We have a similar setup and it works completely fine. Indexes are defined in Indexer cluster but not defined in heavy forwarder, and receiving data to those indexes using HEC(configured on HF).  Can you share the error you are getting?

Reply
Solved! Jump to solution

jcrosby21
Path Finder
‎06-10-2021 09:59 AM
and after writing up a whole thing laying out all the pieces I decided to reboot my forwarder just in case and now it works for me.
 
It would appear that while SOME things get picked up without rebooting services when working with the HEC some things probably need splunk to restart.
 
Thanks for the validation!
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...