Send data from Edge Processors to non-connected Splunk platform deployments using HEC

When sending data from an Edge Processor to a Splunk Enterprise deployment or a Splunk Cloud Platform deployment that is not connected to your tenant, you can choose to send that data using the HTTP Event Collector (HEC). HEC is a mechanism that allows HTTP clients and logging agents to send data to the Splunk platform over HTTP or HTTPS.

There are multiple HEC endpoints available, but the Edge Processor only supports these endpoints when sending out data through HEC:

  • The services/collector endpoint for sending out events.

  • The services/collector/raw endpoint for sending out raw data.

For more information about these endpoints, see Input endpoint descriptions in the Splunk Enterprise REST API Reference Manual.

To send data from an Edge Processor to the Splunk platform using HEC, start by adding a Splunk platform HEC destination in the Edge Processor service. You can configure the destination to send data to a specific Splunk platform instance, or to a load balancer or DNS that passes data to multiple instances. Splunk platform HEC destinations cannot send data to multiple instances directly.

Then, create a pipeline that uses that destination. When you apply that pipeline to your Edge Processor, the Edge Processor starts sending the data that it receives to your Splunk platform deployment.

The specific index that the data from an Edge Processor gets routed to is determined by a precedence order of configurations. For more information, see Index precedence order when using HEC.

Note: You can also send data using the Splunk-to-Splunk (S2S) protocol instead of HEC, or send data to the Splunk Cloud Platform deployment that is connected to your tenant without needing to add any destinations. For more information, see Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise.