Splunk Enterprise

What are the steps to set up HEC on a cluster

robertlynch2020
Influencer

Hi 

I am trying to send data into a cluster with 1 SH, 1MN and 3 indexers.

I am unsure if I

  • A: Send data to the search head then use the output groups to send the data to the indexers
  • B: Send the data directly to the indexers (However I don't have a way to load balance this data)

Regards

Robert

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

C. Stand up a heavy forwarder, set up HEC there, and let the HF load-balance to the indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

C. Stand up a heavy forwarder, set up HEC there, and let the HF load-balance to the indexers.

---
If this reply helps you, Karma would be appreciated.

robertlynch2020
Influencer

Thanks for your help

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As a bit of a further explanation - Search-heads are not normally used for event receiving. Maybe you could use them as forwarders (I'm not sure of that) but that's neither a typical use nor a supported one.

If you set up a HEC input on a single indexer you'd have a highly asymmetrical index distribution. If you set up a HEC input on multiple indexers, you'd need an external load-balancer. And again - distributed inputs are also not a supported setup. You usually supply indexer cluster with data from forwarders (in case of HEC you need Heavy Forwarder).

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...