thanks @dural_yyz . I was thinking of a solution where for a specific token I could enable HTTP protocol. I infer based on your comment and @jawahir007 comment, I infer that its a global setting and cannot be changed for a specific token. I wonder why Splunk recommends to use HTTP for performance optimisation(referring to below statement from listed ref link).

Sending data over HTTP results in a significant performance improvement compared to sending data over HTTPS.

Troubleshoot HTTP Event Collector - Splunk Documentation

My background is network engineering so I can't speak to any specific software processing benefits of HTTP vs HTTPS.  However, since HTTP is essentially plain text that would be fairly simple to take the packet off the wire.  Having to decrypt HTTPS would by the very nature of an additional step add processing requirements but as pointed out by others depending upon the compute power of your server(s) there usually isn't a noticeable hit or queuing of data.  Most systems today have compute that will outperform the physical network connection.

Think layers. HTTP vs. HTTPS is something that happens before even any HTTP request is being sent so it's enabled on a whole network port level and all HEC tokens are serviced by either HTTP or HTTPS input.

Whether HTTP/HTTPS issue is important for you security-wise depends on your approach to the data you're ingesting - is it highly confidential and anyone eavesdropping into it on the wire is a great concern to you or not.

While Splunk states that switching from HTTPS to HTTP can give a significant performance boost I'd be cautious with such general statements. It does depend on the hardware you're using and the volume of data you're processing. If you have a fairly modern server or a properly specced VM and you're not processing some humongous amounts of data you should be fairly ok with HTTPS enabled.

So this is a global setting and I cannot choose protocol per token is it?