Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to deploy HEC and token to indexers in a cluster?

rholm01
Explorer
‎03-19-2019 10:42 AM

I am trying to figure out how to configure my cluster master to generate a token and HEC configuration information/files to my index cluster. The documentation is not clear as to how this is done. I believe, in the global settings for the token, I can configure the ouptpuGroup with the indexers in my cluster and thereby load-balancing across the bunch of them. Not sure about the configuration needed to do this.

0 Karma
Reply

saravanan90
Contributor
‎03-12-2020 04:05 AM

We can create a separate token in master cluster. Copy the configurations and push it to indexers.

Sample configurations.

In mastercluster /opt/splunk/etc/master-apps/http_event_config/local/inputs.conf

[http]
disabled=0

[http://temp]
disabled=0
index = test
source = syslog
token = generated token from mastercluster

Validate and push the config bundle to indexer and test with the below command.

curl -k https://indexerip:8088/services/collector/event -H "Authorization: Splunk XXXXX-generatedtoken-XXXXXX" -d '{"event" : "helloworld"}'

Reply

dhawal_sanghvi
New Member
‎07-16-2020 05:09 AM

While creating a new HEC token from the master cluster portal, the HEC token generated is located in master cluster VM in the following path= /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf.

How should we push the HEC token from master cluster to the indexer peer using Config bundle action? Should we manually copy the inputs.conf from /opt/splunk/etc/apps/splunk_httpinput/local to /opt/splunk/etc/master-apps/splunk_httpinput/local and then Validate and push the config bundle to indexer?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎03-19-2019 03:27 PM

If you refer to Update common peer configurations and apps you configure the HEC tokens inside the cluster master (or master node) and push the configuration out.

The HEC token is local to each indexer, the indexer receiving the data via HEC will index it, there is no requirement for output groups on an indexer...(nor will it forward to another indexer).

The load balancing of HEC traffic has to be done by something outside the Splunk indexers, for example the client or a load balancer before they get to the indexers on port 8088

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...