Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Visibility and Monitoring for HEC base Data Ingestion Interruptions

Nraj87
Explorer
3 weeks ago

please advise whether there is a solution or monitoring use case to identify interruptions in HEC base data ingestion.

Specifically:

  • When the data ingestion service (HEC Token) becomes unavailable OR Down

  • When the service (HEC Token) is operational, but no data/logs are being received during normal business hours.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

tscroggins
Champion
3 weeks ago

Hi @Nraj87,

You can probe the services/collector/health endpoint on the HEC port for current service, ack, and token status. See https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference/10.0/input-endpoi... or your version's documentation for more information.

HEC metrics are available in index=_introspection with sourcetype=http_event_collector_metrics, e.g.:

index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector data.series=http_event_collector

index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector data.series=http_event_collector_token

| tstats latest(data.num_of_events) as num_of_events latest(data.num_of_requests) as num_of_requests where index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector data.series=http_event_collector

| tstats sum(data.num_of_events) as num_of_events sum(data.num_of_requests) as num_of_requests where index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector data.series=http_event_collector_token data.token_name=foo by _time

Introspection metrics are relative to the report window, i.e., data.num_of_events is the number of events received over the last 60 seconds using the default limits.conf [http_input] stanza settings. Token-level introspection events are only generated when activity occurs over the report window. See https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-c... for more information.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...