Solved: What are the steps to set up HEC on a cluster

robertlynch2020 · ‎10-07-2021

Hi

I am trying to send data into a cluster with 1 SH, 1MN and 3 indexers.

I am unsure if I

A: Send data to the search head then use the output groups to send the data to the indexers
B: Send the data directly to the indexers (However I don't have a way to load balance this data)

Regards

Robert

richgalloway · ‎10-07-2021

C. Stand up a heavy forwarder, set up HEC there, and let the HF load-balance to the indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-07-2021

C. Stand up a heavy forwarder, set up HEC there, and let the HF load-balance to the indexers.

---
If this reply helps you, Karma would be appreciated.

robertlynch2020 · ‎10-12-2021

Thanks for your help

PickleRick · ‎10-07-2021

As a bit of a further explanation - Search-heads are not normally used for event receiving. Maybe you could use them as forwarders (I'm not sure of that) but that's neither a typical use nor a supported one.

If you set up a HEC input on a single indexer you'd have a highly asymmetrical index distribution. If you set up a HEC input on multiple indexers, you'd need an external load-balancer. And again - distributed inputs are also not a supported setup. You usually supply indexer cluster with data from forwarders (in case of HEC you need Heavy Forwarder).

What are the steps to set up HEC on a cluster

using Splunk Enterprise

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...