https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327882#M4727 <P>We had the same issues, too when we were starting to integrate many different applications.<BR /> The problem in enterprise environments is that you have many different applications, where a few may only be able to send syslog data, while other are only accessible via DBConnect or other vendor-specific apps from Splunkbase.</P> <P>A couple of big vendors already have documented some of these information in their documentation (how to get data into third-party tools).</P> <P>We started like this: Make a list with the available options to get data into your Splunk environment. If possible, concentrate on a few of them (syslog, directory monitoring, UF, DBConnect, scripted input, ...).<BR /> You don't want to support 20 different ways in your company of how to get data into your Splunk environment.</P> <P>So, whenever a new application wants to get its data analyzed by Splunk, its responsible person could fill a check list which options are supported by the application (database connection, syslog stream, HTTP Event Collection, OPSEC-lea, local directory monitoring, ...).</P> <P>We have a couple of standard inputs we offer applications/application owners:<BR /> - Syslog (<EM>and specify a port, we don't use 514 because splunk doesn't run as root</EM>)<BR /> - DBConnect<BR /> - vendor-specific app (like OPSEC LEA)<BR /> - Universal Forwarder (deployed on the host of the application, for example useful with Domain Controllers)</P> <P>However, sometimes you need to allow the option to get data on a different way into your system. For example, if you have special applications (like anything on z/OS.. pain in the ass sometimes).</P> <P>Tl;dr: Look at the common ways to get data into Splunk, choose a couple of them and build your infrastructure around it. We, for example, are using a lot of Heavy Forwarders (HF) in different (V)LANs where applications send their data to us. So we are kind of flexible here. If a product doesn't support syslog, we can check for an existing Splunkbase app, install it on the HF and use a different way then.</P> <P>I don't think there are specific guides out there, atleast I don't know any. If you have a big project coming up, you might want to get Splunk involved when planning a big infrastructure.</P> <P>Skalli</P> <P>Edit: typo</P> Tue, 06 Jun 2017 11:31:17 GMT skalliger 2017-06-06T11:31:17Z https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327879#M4724 <P>Is there any guide available for Custom Data Source Integration with Splunk? What all methods are available for custom Data Source. What are the challenges for the same?</P> Tue, 06 Jun 2017 08:46:39 GMT https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327879#M4724 sayash27 2017-06-06T08:46:39Z https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327880#M4725 <P>Hi,</P> <P>I think this is a good start:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor">http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor</A> and<BR /> <A href="http://dev.splunk.com/view/dev-guide/SP-CAAAE3A">http://dev.splunk.com/view/dev-guide/SP-CAAAE3A</A></P> <P>So, out of the box, Splunk can index:</P> <UL> <LI>Files and directories</LI> <LI>Network events (also streams)</LI> <LI>Windows sources</LI> <LI>anything that uses Splunk's REST api</LI> </UL> <P>What kind of answer do you expect? Your question is really.. abstract to be answered. Even if there was no appropriate method to get your data into Splunk, someone could use the Splunk SDK to write a modular input for your use case: <A href="http://dev.splunk.com/view/python-sdk/SP-CAAAER3">http://dev.splunk.com/view/python-sdk/SP-CAAAER3</A></P> <P>Skalli</P> Tue, 06 Jun 2017 10:17:27 GMT https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327880#M4725 skalliger 2017-06-06T10:17:27Z https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327881#M4726 <P>Thanks Skalli for your input.</P> <P>I was looking for any guide if we want to integrate any inhouse application or if any data source is not supported by splunk. So what all are the ways to integrate those application or devices(Like Custom Parser) and what can be challenges for the same.</P> <P>Is any guide available for this?</P> <P>Regards<BR /> Sayash</P> Tue, 06 Jun 2017 11:12:33 GMT https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327881#M4726 sayash27 2017-06-06T11:12:33Z https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327882#M4727 <P>We had the same issues, too when we were starting to integrate many different applications.<BR /> The problem in enterprise environments is that you have many different applications, where a few may only be able to send syslog data, while other are only accessible via DBConnect or other vendor-specific apps from Splunkbase.</P> <P>A couple of big vendors already have documented some of these information in their documentation (how to get data into third-party tools).</P> <P>We started like this: Make a list with the available options to get data into your Splunk environment. If possible, concentrate on a few of them (syslog, directory monitoring, UF, DBConnect, scripted input, ...).<BR /> You don't want to support 20 different ways in your company of how to get data into your Splunk environment.</P> <P>So, whenever a new application wants to get its data analyzed by Splunk, its responsible person could fill a check list which options are supported by the application (database connection, syslog stream, HTTP Event Collection, OPSEC-lea, local directory monitoring, ...).</P> <P>We have a couple of standard inputs we offer applications/application owners:<BR /> - Syslog (<EM>and specify a port, we don't use 514 because splunk doesn't run as root</EM>)<BR /> - DBConnect<BR /> - vendor-specific app (like OPSEC LEA)<BR /> - Universal Forwarder (deployed on the host of the application, for example useful with Domain Controllers)</P> <P>However, sometimes you need to allow the option to get data on a different way into your system. For example, if you have special applications (like anything on z/OS.. pain in the ass sometimes).</P> <P>Tl;dr: Look at the common ways to get data into Splunk, choose a couple of them and build your infrastructure around it. We, for example, are using a lot of Heavy Forwarders (HF) in different (V)LANs where applications send their data to us. So we are kind of flexible here. If a product doesn't support syslog, we can check for an existing Splunkbase app, install it on the HF and use a different way then.</P> <P>I don't think there are specific guides out there, atleast I don't know any. If you have a big project coming up, you might want to get Splunk involved when planning a big infrastructure.</P> <P>Skalli</P> <P>Edit: typo</P> Tue, 06 Jun 2017 11:31:17 GMT https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327882#M4727 skalliger 2017-06-06T11:31:17Z https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327883#M4728 <P>Thanks a lot Skalli. Appreciate your detailed input <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Wed, 07 Jun 2017 05:30:34 GMT https://community.splunk.com/t5/Splunk-Dev/Is-there-any-guide-available-for-Custom-Data-Source-Integration/m-p/327883#M4728 sayash27 2017-06-07T05:30:34Z