Re: HTTP Event Collector: Can I set up a farm of S...

a212830 · ‎10-05-2015

Hi,

I have customers interested in using the HTTP event collector, but I'm still running 6.1 indexers and search heads. Can I set up a farm of 6.3 forwarders and send them to 6.1 indexers?

gblock_splunk · ‎11-03-2015

Hi folks

We've just added new documentation on distributed deployment. You can find it here.

gblock_splunk · ‎10-06-2015

Yes you can have 6.3 Event Collector instances which forward to 6.2. In the configuration of EC you can select an output group for it to forward to. The receiving indexers do not have to be 6.3.

As to the UF, it is not supported today, though it may work. Only HWF is supported from a forwarder perspective.

sloshburch · ‎10-05-2015

http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

I'm not seeing anything that says that the functionality does not exist on [universal] forwarders but haven't tried. I'd say give it a try and see? You can run a curl command against it to see if it catches your http request.

HTTP Event Collector: Can I set up a farm of Splunk 6.3 forwarders and send them to to 6.1 indexers?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...