Edge Delta Splunk HEC Destination
Configure the Edge Delta Splunk destination to send telemetry data using the Splunk output node with optional TLS and token passthrough settings.
Edge Delta Splunk Destinations
Send telemetry data to Splunk using Edge Delta’s multiple integration options.
3 minute read
Overview
Edge Delta provides two powerful methods for sending data to Splunk, each designed for specific use cases and deployment scenarios. Choose the integration that best fits your infrastructure and requirements.
Available Splunk Destinations
Splunk TCP (S2S) Destination
The Splunk TCP destination uses the native Splunk-to-Splunk (S2S) protocol to send data directly to Splunk indexers or heavy forwarders over TCP port 9997. This destination is ideal as a direct replacement for Splunk Universal Forwarders, making it the best choice for organizations with existing Splunk forwarder infrastructure or on-premises Splunk deployments. It’s particularly well-suited for scenarios requiring certificate-based authentication.
The key advantages of this integration include native Splunk protocol compatibility, which ensures seamless communication with your existing Splunk infrastructure. It supports certificate-based authentication for enhanced security and requires minimal configuration changes when migrating from Universal Forwarders. Additionally, it provides full support for TLS encryption to protect data in transit.
Note: This node is currently in beta and is available for Enterprise tier accounts.
Splunk HEC Destination
The Splunk HEC (HTTP Event Collector) destination sends data to Splunk using the modern HTTP/HTTPS protocol through the HEC endpoint on port 8088. This destination excels in cloud-based Splunk deployments and modern, API-first architectures. It’s the preferred choice for environments that favor token-based authentication and require easy integration with load balancers and proxies.
This integration offers several compelling features, including HTTP/HTTPS protocol for firewall-friendly communication, making it easier to traverse network boundaries. It uses token-based authentication, which simplifies credential management and rotation. The HEC output provides built-in support for Splunk Cloud and offers flexible routing and load balancing options, enabling high availability and scalability for your data pipeline.
Choosing the Right Integration
| Consideration | Splunk TCP (S2S) | Splunk HEC |
|---|---|---|
| Protocol | TCP (port 9997) | HTTP/HTTPS (port 8088) |
| Authentication | Certificate-based | Token-based |
| Universal Forwarder Compatibility | Drop-in replacement | Requires reconfiguration |
| Cloud Friendliness | Better for on-premises | Optimized for cloud |
| Load Balancing | TCP load balancers | HTTP load balancers |
| Firewall Traversal | May require specific rules | HTTP-friendly |
| Setup Complexity | Minimal if replacing UF | Simple token configuration |
Migration Path
From Universal Forwarders
If you’re currently using Splunk Universal Forwarders, the Splunk TCP destination provides the smoothest migration path:
- Deploy Edge Delta agents alongside existing forwarders
- Configure Edge Delta to use the same Splunk indexers
- Validate data flow and quality
- Gradually decommission Universal Forwarders
New Deployments
For new deployments or modernization initiatives, consider the Splunk HEC output for its:
- Simpler authentication model
- Better cloud integration
- Easier troubleshooting with HTTP tools
Common Use Cases
Hybrid Architecture
Many organizations benefit from using both destination types simultaneously to address diverse requirements. You might use the Splunk TCP destination for legacy systems that require the S2S protocol while deploying the HEC output for cloud-native applications. This approach allows gradual modernization without disrupting existing workflows.
Multi-Region Deployment
For global operations, you can configure region-specific destinations tailored to local requirements. Each region might use different authentication methods based on security policies, connect to local Splunk instances to minimize latency, and ensure compliance with data residency requirements. This flexibility enables you to optimize performance while meeting regulatory obligations.
High Availability
Edge Delta supports redundancy through multiple simultaneous destinations, ensuring continuous data flow even during outages. You can configure primary and backup Splunk instances with automatic failover capabilities, while the built-in buffering mechanism preserves data during temporary connection issues. This architecture provides peace of mind for mission-critical telemetry data.
Getting Started
- Identify your requirements: Protocol preferences, authentication methods, existing infrastructure
- Choose the appropriate destination: TCP for forwarder replacement, HEC for modern deployments
- Configure the integration: Follow the specific guide for your chosen method
- Validate data flow: Ensure data appears correctly in Splunk
- Optimize performance: Adjust worker counts and buffer settings as needed
Troubleshooting
For comprehensive troubleshooting of all Splunk integrations, see the Splunk Troubleshooting Guide.
Related Documentation
Edge Delta Splunk TCP Destination
Configure the Splunk TCP destination node to send data directly to Splunk over TCP using the Splunk-to-Splunk (S2S) protocol.