Solved: How can we find out which HTTP Event Collector tok... - Splunk Community

Getting Data In

We have numerous input stanzas like -

[http://<name>]
disabled = 0
token = xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxxx
index = <index name>
indexes = <index name>
queueSize = 100MB
useACK = 0
sourcetype = json

As time passes by, we have more and more stale connections. Can we find out which tokens are stale and not being used?

1 Solution

Solution

Hi,

You can check which HEC token is in use in _introspection Index with below query.

index=_introspection host=YOUR_HEC_HOST  sourcetype=http_event_collector_metrics data.token_name=*
| rename data.* as *
| table host, component, token_name, num_*

If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.

View solution in original post

Solution

Hi,

You can check which HEC token is in use in _introspection Index with below query.

index=_introspection host=YOUR_HEC_HOST  sourcetype=http_event_collector_metrics data.token_name=*
| rename data.* as *
| table host, component, token_name, num_*

If there will be 0 num_of_requests or num_of_events for longer time span then I guess you can disable those token for few days and then remove it.

Gorgeous @ harsmarvania57.

how can we pull same information using rest API call?

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...