Best practices for HEC for on prem Splunk Distribu...

abhi04 · ‎05-22-2020

Hello All,

We have a splunk distributed environment with intermediate heavy forwarder tier and indexer tier.
We need to implement HEC in our current environment which will include how to write to multiple indexes with a single token and ensure some level of resiliency.Please let me know what will be the best approach for this.

lloydknight · ‎05-22-2020

Hi @abhi04

Though I'm not quite sure if there's a best practice on implementing HEC for Distributed deployment, you can apply persistent queues to improve the data input process and potentially prevent data loss.

Please see link below for more information regarding this:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Usepersistentqueues

Best practices for HEC for on prem Splunk Distributed environment?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Best practices for HEC for on prem Splunk Distributed environment?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>