rss.livelink.thread@place:occasion

Getting Data In: Platform - Wed 8/9/23

adepp — Mon, 21 Aug 2023 17:59:30 GMT

[1pm PT / 4pm ET] - Register here and ask questions below. This thread is for the Community Office Hours session on Getting Data In (GDI) to Splunk Platform on Wed, August 9, 2023 at 1pm PT / 4pm ET.

Join our bi-weekly Office Hour series where technical Splunk experts answer questions and provide how-to guidance on a different topic every month! This is your opportunity to ask questions related to your specific GDI challenge or use case, including:

How to onboard common data sources (AWS, Azure, Windows, *nix, etc.)
Using forwarders
Apps to get data in
Data Manager (Splunk Cloud Platform)
Ingest actions, archiving your data, and anything else you’d like to learn!

Please submit your questions below as comments in advance. You can also head to the #office-hours user Slack channel to ask questions (request access here).

Pre-submitted questions will be prioritized. After that, we will go in order of the questions posted below, then will open the floor up to live Q&A with meeting participants. If there’s a quick answer available, we’ll post as a direct reply.

Look forward to connecting!

Re: Getting Data In: Platform - Wed 8/9/23

adepp — Wed, 02 Aug 2023 20:18:22 GMT

Hey Everyone!

Post add your questions/comments here for any topics you'd like to see discussed in the Community Office Hours session (you can also head to the #office-hours user Slack channel to ask questions and join the discussion - request access here).

Re: Getting Data In: Platform - Wed 8/9/23

adepp — Mon, 21 Aug 2023 17:56:22 GMT

Here are some questions from the session (full Q&A and live recording posted in the #office-hours user Slack channel):

Q1: How to bring data in from VMWare and VCenter and how to get the Hydra Gateway to work.

Q2: How can I troubleshoot common issues when using HEC (e.g., data not being ingested, missing HEC tokens)?

It’s testing connectivity similar to any web service. Something like this is a good start. curl -k https://hostnameofhecreciever:8088/services/collector/health

Q3: Are there ways to monitor the usage and health of HEC endpoints to ensure proper data ingestion?

The MC has a panel for HEC. If you can’t find this, this can be found with some Splunk searches.
This page also gives a great breakdown of the logging and additional troubleshooting: https://docs.splunk.com/Documentation/Splunk/9.1.0/Data/TroubleshootHTTPEventCollector

Q4: Can you tell me about OTel as a TA? What are the benefits and why would I use this vs. staying on UF?

A streamlined GDI experience that allows you to adopt Observability Cloud in a familiar way
Ingest metrics and traces and send to O11y Cloud without deploying a standalone OTel Collector
Deploy OTel TA just like how you deploy other TAs, through Deployment Server, 3rd party tools or directly onto UFs

Start/stop OTel TA in tandem with Universal Forwarder start/stop
No change to your existing log ingestion via UF deployment

1st time deployment instructions here

Q5: Can you configure forwarders to communicate to an indexer outside the network?

Intermediate Forwarding (Good Option)

Universal Forwarder will send to another Forwarder before leaving network
Intermediate Forwarder will need remote network access, endpoint will not
Difficult to manage and can cause issues with data quality and performance
Link to doc

Splunk Universal Forwarder can send data over HTTP (Better Option)

Best used when unable to open network traffic to use the Splunk to Splunk (S2S) Service.
Load Balancing Supported
Indexers will need to have HEC configured
Event Breaker settings Important!
Link to doc