Hi,
I have customers interested in using the HTTP event collector, but I'm still running 6.1 indexers and search heads. Can I set up a farm of 6.3 forwarders and send them to 6.1 indexers?
Hi folks
We've just added new documentation on distributed deployment. You can find it here.
Yes you can have 6.3 Event Collector instances which forward to 6.2. In the configuration of EC you can select an output group for it to forward to. The receiving indexers do not have to be 6.3.
As to the UF, it is not supported today, though it may work. Only HWF is supported from a forwarder perspective.
http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
I'm not seeing anything that says that the functionality does not exist on [universal] forwarders but haven't tried. I'd say give it a try and see? You can run a curl command against it to see if it catches your http request.