Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using HEC vs Heavy Forwarder

anurbhav
Loves-to-Learn Lots
‎10-21-2020 12:15 PM

Is there a clear list of pros and cons of using HEC vs Heavy forwarders

 

Also, are there any best practices or preferences of using these 2 options in a given setting

Labels (3)
0 Karma
Reply

arjunpkishore5
Motivator
‎10-22-2020 03:49 PM

Do you mean HEC vs File monitoring?

HEC can live on your Heavy Forwarder. 

 

With the assumption that you are looking for file monitoring vs HEC, you are looking at pull vs push processes, file monitor keeps monitoring a directory and pulls data when new files or updates to existing files are made. On the other hand, HEC listens on a port and you push data to it. Using one vs the other entirely depends on your use case. 

Unfortunately, without more context on what your end goal is, this is all the info I can provide.

 

0 Karma
Reply

anurbhav
Loves-to-Learn Lots
‎10-22-2020 04:04 PM

My end goal is to ingest AWS cloud watch logs to SPLUNK

0 Karma
Reply

Roy_9
Motivator
‎10-22-2020 03:27 PM

@anurbhav If you are going with the route of Kinesis-Cloudwatch-HEC-Splunk then i will prefer HEC.

0 Karma
Reply

anurbhav
Loves-to-Learn Lots
‎10-21-2020 04:48 PM

If i need to ingest my AWS cloudwatch logs to splunk what are the pros and cons of HF vs HEC. What design considerations will it impacts

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2020 04:43 PM

There are a lot of things to consider when choosing HF or HEC.  There is no documentation on the subject that I know of.  It really comes down to what you need to do.

HFs are good for monitoring files or directories and transforming data.

HEC is good for receiving data directly from an application.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...