Getting Data In: Platform - Wed 8/9/23
| Updated on
[1pm PT / 4pm ET] - Register here and ask questions below. This thread is for the Community Office Hours session on Getting Data In (GDI) to Splunk Platform on Wed, August 9, 2023 at 1pm PT / 4pm ET.
Join our bi-weekly Office Hour series where technical Splunk experts answer questions and provide how-to guidance on a different topic every month! This is your opportunity to ask questions related to your specific GDI challenge or use case, including:
- How to onboard common data sources (AWS, Azure, Windows, *nix, etc.)
- Using forwarders
- Apps to get data in
- Data Manager (Splunk Cloud Platform)
- Ingest actions, archiving your data, and anything else you’d like to learn!
Please submit your questions below as comments in advance. You can also head to the #office-hours user Slack channel to ask questions (request access here).
Pre-submitted questions will be prioritized. After that, we will go in order of the questions posted below, then will open the floor up to live Q&A with meeting participants. If there’s a quick answer available, we’ll post as a direct reply.
Look forward to connecting!
Here are some questions from the session (full Q&A and live recording posted in the #office-hours user Slack channel):
Q1: How to bring data in from VMWare and VCenter and how to get the Hydra Gateway to work.
Q2: How can I troubleshoot common issues when using HEC (e.g., data not being ingested, missing HEC tokens)?
- It’s testing connectivity similar to any web service. Something like this is a good start. curl -k https://hostnameofhecreciever:8088/services/collector/health
Q3: Are there ways to monitor the usage and health of HEC endpoints to ensure proper data ingestion?
- The MC has a panel for HEC. If you can’t find this, this can be found with some Splunk searches.
- This page also gives a great breakdown of the logging and additional troubleshooting: https://docs.splunk.com/Documentation/Splunk/9.1.0/Data/TroubleshootHTTPEventCollector
Q4: Can you tell me about OTel as a TA? What are the benefits and why would I use this vs. staying on UF?
- A streamlined GDI experience that allows you to adopt Observability Cloud in a familiar way
- Ingest metrics and traces and send to O11y Cloud without deploying a standalone OTel Collector
- Deploy OTel TA just like how you deploy other TAs, through Deployment Server, 3rd party tools or directly onto UFs
- Start/stop OTel TA in tandem with Universal Forwarder start/stop
- No change to your existing log ingestion via UF deployment
- 1st time deployment instructions here
Q5: Can you configure forwarders to communicate to an indexer outside the network?
- Intermediate Forwarding (Good Option)
- Universal Forwarder will send to another Forwarder before leaving network
- Intermediate Forwarder will need remote network access, endpoint will not
- Difficult to manage and can cause issues with data quality and performance
- Link to doc
- Splunk Universal Forwarder can send data over HTTP (Better Option)
- Best used when unable to open network traffic to use the Splunk to Splunk (S2S) Service.
- Load Balancing Supported
- Indexers will need to have HEC configured
- Event Breaker settings Important!
- Link to doc
