Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk Demo to Splunk Production server conversion

Jayaraman
Explorer
Thursday

 

I  have a question about moving an HTTP Event Collector (HEC) integration from a Splunk demo setup to a production setup.

Right now, I am using a demo Splunk environment where HEC is enabled on port 8088. My application sends events to a URL similar to:

https://demo-host:8088/services/collector

For the production Splunk environment, I was told that no separate port (like 8088) is required because HEC will be exposed through HTTPS, possibly behind a load balancer or proxy.

My questions are:

  1. When switching from the demo environment to the production environment, does the Splunk instance URL typically change?

  2. If the URL changes, what impact does this have on the existing integration?

    • Do I only need to update the hostname and port?

    • Will the HEC token also change?

    • Any SSL or network/firewall considerations?

  3. Is there anything specific to keep in mind when migrating a HEC integration from demo to production?

Background:

  • Demo setup uses HEC on port 8088

  • Production setup will expose HEC without a custom port (likely on HTTPS 443)

I want to understand how this difference affects the application endpoint configuration

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
2m ago

Hi @Jayaraman 

Do you currently have a Splunk Cloud Trial or are you self-hosting a Splunk instance?

Ultimately the URL and token will certainly change if you are going from a trial or self-hosted instance to a production Splunk Cloud stack - During the setup of your production cloud stack you will be asked for a prefix/stack name to use which will be <stackName>.splunkcloud.com

The HEC endpoint address will end up being https://http-inputs-<stackName>.splunkcloud.com/ 

You will need to create a new HEC token on your production stack for your data ingestion, there is no way to specifically set a token, it is a random GUID therefore you will need to update you data source with the new URL and Token to start sending your data to a production stack. 

Note that its not typically possible to migrate any existing indexed data from a trial stack into Splunk Cloud production stack.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

Jayaraman
Explorer
Friday

@PickleRick  What Im trying to convey is in splunk cloud trial in HEC Input port is must required, but in production, it uses the 443 port.

 

For example now im using splunk cloud trial, using the same hec token details and server details i ve  used for the integration.

 

Now the product sending data to the port using http /services/collector/event api.

 

Now the splunk cloud trial is changed to production. Now i ve not updated the same details to the integrated product, Now the integration will break ? 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Friday

As I said - the production Cloud stack uses a different port and might use different token. It definitely uses encryption whereas trial stacks don't. So if your sources had the trial HEC endpoint http://whatever:8088/ it won't work on https://whatever-else/

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Friday

1. In the very first place, It's hard to tell without knowing what your "demo" is. A trial Splunk Cloud instance does _not_ use TLS on HEC inputs as far as I remember so if you're using TLS in your "demo", that's something different than Cloud Trial.

2. In Splunk Cloud the port is 8088 (without TLS) on Trial stacks and 443 (with TLS) on prod stacks. 

3. I'm not quite sure whether you can _chose/set_ the value of HEC token on creation. (you cannot do it in GUI in on-prem environment). So the token itself might change.

4. If this is, however, an on-prem Splunk Enterprise setup, it all depends on the team implementing your solution. There might be some HTTP LB in place for example. So there are may things we don't know of.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...