I have been through the blogs below on HTTP event collector, but I'm looking for detailed explanation/use cases on using the HTTP event collector.
According to my understanding, are we sending the data directly to an indexer using a HEC without a universal forwarder..?
In what scenarios would this be helpful..?
Any explanation would be appreciated. Thanks.
Hello @mcnamara,
You are right. More details from
http://blogs.splunk.com/2015/10/06/http-event-collector-your-direct-event-pipe-to-splunk-6-3/
HTTP Event Collector (EC) is a new, robust, token-based JSON API for sending events to Splunk from anywhere without requiring a forwarder. It is designed for performance and scale. Using a load balancer in front, it can be deployed to handle millions of events per second. It is highly available and it is secure. It is easy to configure, easy to use. A few other cool tidbits, it supports gzip compression, batching, HTTP keep-alive and HTTP/HTTPs.
If you are a developer looking to get visibility into your applications within Splunk, looking to capture events from external systems and devices (IoT), or you offer a product that you’d like to integrate with Splunk, HTTP Event Collector is the way to go
Picking up one example from @DamienDallimore , you can enable HEC in the java instrumentation app https://splunkbase.splunk.com/app/1716/
which is an instrumentation agent for tracing code level metrics via bytecode injection, JMX attributes/operations/notifications and decoded HPROF records and streaming these events directly into Splunk. The jvm might be running in any machine or container and you can collect the data directly from the source without the need of a forwader