Hi
I have read all the HEC Splunk documentations but there is some things that are not clear for me
I know the process to create a new token
So except if I am mistaken a new stanza is created in the inputs.conf file of the Heavy Forwarder?
If yes, do we also have to update the output.conf file on the Heavy Forwarder to route the events to the indexers.
Is there any other configurations to do?
I have also understood how to test our HTTP Event Collector with the curl commandcurl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://mysplunkserver.example.com:8088/services/collector/event -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}'In this example does https://mysplunkserver.example.com:8088 correspond to he HEC endpoint?
What I also do not understand is when the HEC cinguration works, how the events are automatically sent to the Splunk platform. Is there a scheduled task to do this?
Finally, if somebody has interestiong tutorials on HEC topics (except tutorials Splunk), I will be very interested in
Thanks
1) The license usage is counted based on amount of _raw data written to indexes regardless of whatever inputs it's getting ingested from. So it doesn't matter if it's UF's monitor input, HF's HEC or a modular input - it's still getting counted based on how much data (_raw data, mind you) it ingests.
2) In some scenarios - yes but often the source is not able to define the metadata so you're distinguishing sources by the token. So techincally - yes but in practical situation I wouldn't recommend it except some very specific cases.
The new stanza of the inputs.conf file is created on the instance where you are signed in. If that's the HF then the HEC input will be on the HF.
There is no need to change outputs.conf because the HF already knows (because it's a forwarder) how to send events to the indexers. HEC has no bearing on how forwarders send data to indexers or how outputs.conf is configured.
HEC events are sent from HF to indexer exactly the same way any other events are sent - via a SplunkTCP connection from the HF to port 9997 (or other port if so configured) on the indexers.
So if I am signed on UF, it means there will be an inputs.conf file too but also an output.conf file?
Thanks
Unless something changed recently and I missed it, UF has no gui so you can't be logged in to it 😉 And you can't define HEC input on UF.
But in general - inputs and outputs are two different things. You define an input to ingest data (monitor files, listen on HEC or syslog and so on), the ingested data gets through splunk internal queues then gets written to disk (if it's an indexer) and/or sent to defined outputs.
thanks
2 last question
1) could you confirm me that the volume of data ingested with HEC are taken into account in the license volume manager like the volume of data ingested with the UF?
2) is it possible to use the same token for different HEC sources?
1) The license usage is counted based on amount of _raw data written to indexes regardless of whatever inputs it's getting ingested from. So it doesn't matter if it's UF's monitor input, HF's HEC or a modular input - it's still getting counted based on how much data (_raw data, mind you) it ingests.
2) In some scenarios - yes but often the source is not able to define the metadata so you're distinguishing sources by the token. So techincally - yes but in practical situation I wouldn't recommend it except some very specific cases.