topic Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect in Deployment Architecture

Splunk Heavy Fowarder to Splunk Cloud using DB connect

jsmorgan1it — Wed, 21 Aug 2019 00:17:51 GMT

Okay, our goal is to capture data from a local database using DB connect to query the data and Splunk Heavy Fowarder to push the data up to a Splunk Cloud instance.

Where we are:

Installed Splunk Enterprise
Installed Splunk DB connect on Splunk Heavy Forwarder
Deployed Splunk Cloud Instance
Configured Forwarding/Receiving and Forwarding default settings on the Splunk Heavy Forwarder
Configured Forwarding settings on Splunk Heavy Forwarder to point to Splunk cloud server (www.server.splunkcloud.com:9997)
Outputs.conf file in the LOCAL directory is pointing to our Splunk cloud hostname and port

The help we need:

The Outputs.conf file in the FORWARDER directory has a very different format that the outputs.conf file in the local directory. Do we need to update this outputs.conf file as well if so what data do we input and in what line? (See attached screenshot)
How do we create an index on the Splunk Cloud so that data is pushed from the Heavy Forwarder directly into that index in the cloud?

Thank you!

Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect

realhippo33 — Wed, 21 Aug 2019 02:11:45 GMT

Sounds like you didn't install the forwarder app you can download from your Splunk Cloud instance. It will have all the right settings and certificates to send data to Splunk Cloud.

Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect

nareshinsvu — Wed, 21 Aug 2019 05:18:09 GMT

1)
https://answers.splunk.com/answers/148813/steps-to-setup-splunk-forwarder-for-splunk-in-the-cloud.html
https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/HowtoforwarddatatoSplunkCloud

2)
https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/ManageIndexes

Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect

jsmorgan1it — Wed, 21 Aug 2019 05:25:59 GMT

Nareshinsvu, once an index is created and enabled on the Splunk cloud environment, how do we ensure that data pushed from our Heavy Forwarder is sent directly into the index we created and enabled?

Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect

nareshinsvu — Wed, 21 Aug 2019 05:32:08 GMT

You should probably raise a Support ticket for your data integrity and security related queries. As per their docs,

Data Segregation for Splunk Cloud
Splunk Cloud deployments run in a secured environment, and your data exists on virtually dedicated servers to ensure it remains isolated from other customers’ data.

Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect

jsmorgan1it — Wed, 21 Aug 2019 05:35:07 GMT

My question was unrelated to data integrity and security but rather, once an index is created how do we ensure data from the Heavy Forwarder pushes the data collected into the index we establish on the Splunk Cloud. Do you know the answer to this?

Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect

jsmorgan1it — Wed, 21 Aug 2019 05:38:58 GMT

I would think somewhere on the Heavy Forwarder you will have to specify where (what index name) you want the data to reside in once pushed to the Splunk Cloud, no?

Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect

nareshinsvu — Wed, 21 Aug 2019 05:47:43 GMT

Do go through the conf files involved in Data forwarding before jumping into your environment.

outputs.conf - Indexer discovery etc happens here
inputs.conf - target index, source and sourcetype to be defined here
props.conf & transforms.conf - Filter and extractions of your data to be defined here.

Re: Splunk Heavy Fowarder to Splunk Cloud using DB connect

jsmorgan1it — Wed, 21 Aug 2019 05:51:35 GMT

That's it! Thank you.