Hi @kristen, HEC is mainly for applications or if you cannot use tcpout or syslog, if possible use always tcpout! Splunk created this way to send logs from Forwarders to Indexers that's optimized (compressed, eventually encrypted, regulated in bandwidth, managing failover and loadbalancing, etc...). Ciao. Giuseppe
... View more