Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Number of HEC tokens on a Indexer

rashi83
Path Finder
‎01-22-2020 09:19 AM

Hi there,
We are going to onboard atleast 500 tokens per Index on a single Indexer. IS there any performance penalty of having these many tokens listening on a single machine.

Labels (2)
Labels
0 Karma
Reply

nickhills
Ultra Champion
‎01-22-2020 09:55 AM

I think the important consideration is your use case.
Whilst you don't hint at what the throughput of these is likely to be, I can't help but think there may be a better way to manage your inbound events.

As @richgalloway notes, you probably should be running HEC on a heavy forwarder.
Any performance impact from a large number of tokens (not something I have ever benchmarked) would be constrained to that server - and not the rest of your deployment.

That said, if you are expecting a high rate of events (presumably from 500+ sources) you may want to also consider some form of loadbalancing for the HECs.

Is each token to be mapped to a different sourcetype?
If you can add a bit more context (and are happy to do so), you may get some more ideas.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-22-2020 09:34 AM

If you have multiple indexers, you should be running HEC on a heavy forwarder.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...