Just wanted to add this one for future readers. Another important advantage of HEC over TCP is error handling. Specifically, if you send data to a TCP endpoint, there is no interaction. No response from the TCP endpoint to let you know data has been received and processed. If there are load issues on the server or Queues are filled up, there is a chance that data will get lost. Data may get dropped and the sending process will not have any idea there was an issue. With HEC, you get an HTTP response such as a 400 or 500 error indicating problems. While most of the possible errors are specific to HEC, at least 2 would be an advantage over TCP. (Server is busy and Internal Server Error) https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/TroubleshootHTTPEventCollector#Possible_error_codes Receiving these codes, a sender would know there is a problem.. And could attempt to resent the data again later. You can also configure your "use Ack" which will allow the sender to check and confirm that data has been received and indexed before purging those events from the system.
... View more