When sending data from an Edge Processor to a Splunk Enterprise deployment or a Splunk Cloud Platform deployment that is not connected to your tenant, you can choose to send that data using the HTTP Event Collector (HEC). HEC is a mechanism that allows HTTP clients and logging agents to send data to the Splunk platform over HTTP or HTTPS.

There are multiple HEC endpoints available, but the Edge Processor supports only the services/collector endpoint when sending data out through HEC. See services/collector in the Splunk Enterprise REST API Reference Manual for more information.

Start by adding a Splunk platform HEC destination in the Edge Processor service. You can configure the destination to send data to a specific Splunk platform instance, or to a load balancer or DNS that passes data to multiple instances. Splunk platform HEC destinations cannot send data to multiple instances directly.

Then, create a pipeline that uses that destination. When you apply that pipeline to your Edge Processor, the Edge Processor starts sending the data that it receives to your Splunk platform deployment.

The specific index that the data from an Edge Processor gets routed to is determined by a precedence order of configurations. For more information, see Index precedence order when using HEC.