if I'm looking to forward the cribl metrics into splunk, is it similar to log data?
I haven't done a ton with Splunk metric indexes in the past, if I'm looking to forward the cribl metrics into splunk, is it similar to log data, where I add an index field via a pipeline to route correctly so I can route the data into Splunk via HEC?
Answers
-
yep. you could also depend on Splunk-side configs to override/provide a default index
0 -
true, I didn't think of that as I just use a single HEC token at the moment for all my my Cribl needs
0 -
thanks!
0 -
Curious, any advantages, of sending to the hec versus directly to the indexers?
0 -
For metrics especially.
0 -
as in, you have a separate HF tier for HEC?
0 -
or you mean HEC on the indexers vs S2S on the indexers?
0 -
Not that it matters, but I'm a Splunk cloud customer, and I just generally send everything in via HEC
0 -
I prefer: sources ---> Cribl ---hec---> indexers
0 -
not a fan of: sources ---> Cribl ---hec---> HF ---S2S--> indexers
0 -
I don't have a Splunk HF tier at the moment, so I sort of view Cribl as my HF tier
0 -
:chef_fingers_kiss:
0 -
Ah :cloud: gotcha. We do have a HEC HF tier. But for sources that don't need any TA's/additional data wrangling after Cribl, then it seems redundant to pass them through the HEC's, right? So for the internal metrics and log sources specifically: Source (internal metrics) --> Cribl (obvs) --> Splunk Indexer LB
0 -
you can do it that way. I prefer delivery to HEC on indexers (not HFs). I like HEC delivery over S2S
0
