yep. you could also depend on Splunk-side configs to override/provide a default index

true, I didn't think of that as I just use a single HEC token at the moment for all my my Cribl needs

thanks!

Curious, any advantages, of sending to the hec versus directly to the indexers?

For metrics especially.

as in, you have a separate HF tier for HEC?

or you mean HEC on the indexers vs S2S on the indexers?

Not that it matters, but I'm a Splunk cloud customer, and I just generally send everything in via HEC

I prefer:sources ---> Cribl ---hec---> indexers

not a fan of:sources ---> Cribl ---hec---> HF ---S2S--> indexers

I don't have a Splunk HF tier at the moment, so I sort of view Cribl as my HF tier

:chef_fingers_kiss:

Ah gotcha.We do have a HEC HF tier. But for sources that don't need any TA's/additional data wrangling after Cribl, then it seems redundant to pass them through the HEC's, right? So for the internal metrics and log sources specifically:Source (internal metrics) --> Cribl (obvs) --> Splunk Indexer LB

you can do it that way. I prefer delivery to HEC on indexers (not HFs). I like HEC delivery over S2S