I haven't done a ton with Splunk metric indexes in the past, if I'm looking to forward the cribl metrics into splunk, is it similar to log data, where I add an index field via a pipeline to route correctly so I can route the data into Splunk via HEC?
Question
if I'm looking to forward the cribl metrics into splunk, is it similar to log data?
yep. you could also depend on Splunk-side configs to override/provide a default index
true, I didn't think of that as I just use a single HEC token at the moment for all my my Cribl needs
as in, you have a separate HF tier for HEC?
or you mean HEC on the indexers vs S2S on the indexers?
Not that it matters, but I'm a Splunk cloud customer, and I just generally send everything in via HEC
I prefer:sources ---> Cribl ---hec---> indexers
not a fan of:sources ---> Cribl ---hec---> HF ---S2S--> indexers
:chef_fingers_kiss:
Ah :cloud: gotcha.We do have a HEC HF tier. But for sources that don't need any TA's/additional data wrangling after Cribl, then it seems redundant to pass them through the HEC's, right? So for the internal metrics and log sources specifically:Source (internal metrics) --> Cribl (obvs) --> Splunk Indexer LB
you can do it that way. I prefer delivery to HEC on indexers (not HFs). I like HEC delivery over S2S
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.