HEC token management for HA


Hi Splunkers,

We have a distributed environment with 2SH, 2 indexers and 1 master.
We need to set up HEC with HA. Currently my HEC is available on my indexers.
I would like to know if the indexers are restarted will there be data loss ?

Also what factors to be considered for security?

Below is a similar question :
Any help would be appreciated!
Thanks in advance.

0 Karma


Hi @deepashri_123,

Based on documentation, Note: Using HTTP Event Collector in a distributed deployment is incompatible with indexer clustering. Specifically, cluster peers are not supported as deployment clients.

So in this case you require Heavy Forwarders and setup HEC on those machines.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...