Before you can add a destination that sends data to the Splunk platform using HEC, you must do the following:

• In the Splunk platform deployment, turn on the HTTP Event Collector.
• Turn on the HEC token that you want to use, and make sure that the token configuration meets these requirements:
  • The Enable indexer acknowledgement setting is turned off.
  • The token allows data to be sent to all indexes. In the token configuration settings in Splunk Web, make sure that the Selected Indexes pane of the Select Allowed Indexes control is empty.
  CAUTION: If you try to send data from your Edge Processor using a HEC token that doesn't meet these requirements, data loss can occur.
• If you're planning to send data to multiple Splunk platform instances, such as multiple indexers, then you must configure a load balancer or DNS to pass the data from the Edge Processor to those instances.
• Make note of one of the following values, depending on how you plan to send your data:
  • If you're sending data to a specific Splunk platform instance, then make note of the HEC URI for that instance. For information about HEC URI formats, see the following sections in the Splunk Cloud Platform Getting Data In manual:
    • Send data to HTTP Event Collector on Splunk Cloud Platform
    • Send data to HTTP Event Collector on Splunk Enterprise
  • If you're using a load balancer or DNS to send data to multiple Splunk platform instances, then make note of the URL of the load balancer or DNS.
• If you're sending data to a Splunk Enterprise indexer that has the enableSSL property set to 1 in the inputs.conf file, that means the indexer uses mTLS for HEC connections and requires connecting clients to authenticate themselves using TLS certificates. In this case, you must obtain certificates for proving the Edge Processor's identity. See the Obtaining TLS certificates section in this topic for more information.