![]() Read here for Splunk's best practices for crea ting custom indexes. Configuring the data inputs in HEC allows for ease of configuration at the data source and flexibility in organizing data in Splunk. So if you had several web application services running, each with their own HEC token, all the HEC inputs could all be configured to send their data to a "web_app" index. In terms of organizing data into indexes, separate tokens can be configured to send data to the same index if it makes sense to. Creating tokens this way also allows you to quickly identify and trouble shoot issues with your inputs if they ever come up. If you ever need to send data to Splunk from a new application or service in Docker, you can simply create a new token and then configure the sourcetype and index on the HEC. Setting it up this way gives you a lot of control in terms of managing your data in Splunk. I recommended that you generate one token for each application/service in Docker that is routing data to Splunk.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |