Solved: What is the best practice to send logs from univer...

kristen · ‎07-18-2022

I saw that there are two options to send logs from universal forwarder to indexer.

We can use [httpout] to send the logs to HTTP Event Collector on the indexer on port 8088;

alternatively, we can use [tcpout] to send the logs to the indexer on port 9997.

Which one is the best practice to implement? Thanks.

gcusello · ‎07-18-2022

Hi @kristen,

HEC is mainly for applications or if you cannot use tcpout or syslog,

if possible use always tcpout!

Splunk created this way to send logs from Forwarders to Indexers that's optimized (compressed, eventually encrypted, regulated in bandwidth, managing failover and loadbalancing, etc...).

Ciao.

Giuseppe

View solution in original post

gcusello · ‎07-18-2022

Hi @kristen,

HEC is mainly for applications or if you cannot use tcpout or syslog,

if possible use always tcpout!

Splunk created this way to send logs from Forwarders to Indexers that's optimized (compressed, eventually encrypted, regulated in bandwidth, managing failover and loadbalancing, etc...).

Ciao.

Giuseppe

What is the best practice to send logs from universal forwarder to indexer?

using Splunk Enterprise

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

What is the best practice to send logs from universal forwarder to indexer?

using Splunk Enterprise

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine