Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

enabling HTTP Event Collector for docker container on splunk clustered setup

sim_tcr
Communicator
‎11-20-2017 06:10 AM

We tested HTTP Event Collector for a docker container by starting the container with below,

--log-driver=splunk --log-opt splunk-token=<token> --log-opt splunk-url=https://<splunkserver>:8088 --log-opt splunk-insecureskipverify=true

Now we want to send the events to our actual splunk setup. We are on search head clustering and index clustering enabled, with a separate shc deployer, deployment server and index master servers.

  • Which server we should enable the HTTP Event Collector?
  • How can i specify the index where the events should be forwarded?

Thanks,

Tags (1)
0 Karma
Reply

outcoldman
Communicator
‎11-26-2017 10:01 PM

Hi @sim_tcr,

If you are just integrating Docker with Splunk, have you seen our solution for collecting logs and metrics https://splunkbase.splunk.com/app/3723/? You can find some documentation https://www.outcoldsolutions.com/docs/ demos and screencasts. We have also comparison table with official Splunk Logging Driver https://www.outcoldsolutions.com/docs/collectorfordocker/#comparing-with-splunk-logging-driver (btw, I am the original author of this driver).

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎11-20-2017 07:00 AM

Hi @sim_tcr!

The best advice for you would require a peek at your existing architecture and data volumes, but you should start by having a look at dev.splunk.com for HEC architectures:

http://dev.splunk.com/view/event-collector/SP-CAAAE73

If you are just getting started you could look at having a Heavy forwarder in place to catch the HEC traffic and pass it to your indexers, or a pool of HFs, or you could also just enable it on all your indexers - although you will want to be careful with that depending on the volume of traffic you expect.

As for routing to an index, check out the docs on HEC tokens. You can set the index/sourcetype there!

http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

- MattyMo
Reply

sim_tcr
Communicator
‎11-20-2017 07:07 AM

Thank you for responding.
I think we want to go with http://dev.splunk.com/view/event-collector/SP-CAAAE73#scen1
We are at 6.3.3 and referring http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector
when checking "select allowed indexes" field, we do not see all our indexes from the index cluster listed there.
Do you know what are we missing?

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎11-22-2017 05:51 AM

Great answer @mmodestino!

@sim_tcr - Remember that if you start with Scenario 1 and you have to change/rebuilt the HEC server, you'll need to update all the clients (apps) sending data. As such, use a VIP or a Load Balancer even if pointing to that one instance. This will increase availability and failover options besides allowing for scalability later and essentially making the transition to Scenario 3 seamless.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎11-20-2017 07:18 AM

You need to tell your HF about them in indexes.conf

Grab the TA from the indexer cluster and use that indexes.conf on the HF.

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...