Hi @sankardevarajan 

The configuration you provided is for the OnBase application to send logs to Splunk, not for Splunk configuration itself. You need to configure the OnBase application's .config file to send logs to Splunk.

The configuration snippet you provided is for the Hyland.Logging component, which is part of the OnBase application. You need to modify the .config file ( likely Application-Server-Web.config or another relevant config file) on the OnBase Application Server to include the specified route.

<Route name="Logging_Local_Splunk" >
  <add key="Splunk" value="http://your-splunk-heavy-forwarder-or-indexer:8088"/>
  <add key="SplunkToken" value="your-splunk-http-event-collector-token"/>
  <add key="DisableIPAddressMasking" value="false" />
</Route>

To receive these logs in Splunk Cloud, you need to:

1. Set up an HTTP Event Collector (HEC) token in your Splunk Cloud instance.
2. Configure the OnBase application to send logs to the HEC endpoint.

In Splunk Cloud, you will need to create an HEC token and get the HEC endpoint URL. You can then use this token and endpoint URL in the OnBase application's .config file.

The http://localhost:SplunkPort in the configuration should be replaced with the URL of your Splunk HEC endpoint (typically https://http-inputs-<stackName>.splunkcloud.com ) and SplunkTokenNumber should be replaced with the actual HEC token.

For more information on configuring HEC in Splunk Cloud, refer to https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector.

For reference the current instructions for creating HEC tokens for Splunk Cloud are:

Click Settings > Add Data.
Click monitor.
Click HTTP Event Collector.
In the Name field, enter a name for the token.
(Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
(Optional) In the Description field, enter a description for the input.
(Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
Click Next.
(Optional) Make edits to source type and confirm the index where you want HEC events to be stored. See Modify input settings.
Click Review.
Confirm that all settings for the endpoint are what you want.
If all settings are what you want, click Submit. Otherwise, click < to make changes.
(Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.
(Optional) Click Track deployment progress to see progress on how the token has been deployed to the rest of the Splunk Cloud Platform deployment. When you see a status of "Done", you can then use the token to send data to HEC.

Ensure that the Splunk HEC endpoint is accessible from the OnBase Application Server. If it's not, you may need to set up a Heavy Forwarder to act as an intermediary.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing