Solved: Re: Splunk Heavy Fowarder to Splunk Cloud using DB...

jsmorgan1it · ‎08-20-2019

Okay, our goal is to capture data from a local database using DB connect to query the data and Splunk Heavy Fowarder to push the data up to a Splunk Cloud instance.

Where we are:

Installed Splunk Enterprise
Installed Splunk DB connect on Splunk Heavy Forwarder
Deployed Splunk Cloud Instance
Configured Forwarding/Receiving and Forwarding default settings on the Splunk Heavy Forwarder
Configured Forwarding settings on Splunk Heavy Forwarder to point to Splunk cloud server (www.server.splunkcloud.com:9997)
Outputs.conf file in the LOCAL directory is pointing to our Splunk cloud hostname and port

The help we need:

The Outputs.conf file in the FORWARDER directory has a very different format that the outputs.conf file in the local directory. Do we need to update this outputs.conf file as well if so what data do we input and in what line? (See attached screenshot)
How do we create an index on the Splunk Cloud so that data is pushed from the Heavy Forwarder directly into that index in the cloud?

Thank you!

nareshinsvu · ‎08-20-2019

1)
https://answers.splunk.com/answers/148813/steps-to-setup-splunk-forwarder-for-splunk-in-the-cloud.ht...
https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/HowtoforwarddatatoSplunkCloud

2)
https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/ManageIndexes

View solution in original post

nareshinsvu · ‎08-20-2019

1)
https://answers.splunk.com/answers/148813/steps-to-setup-splunk-forwarder-for-splunk-in-the-cloud.ht...
https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/HowtoforwarddatatoSplunkCloud

2)
https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/ManageIndexes

jsmorgan1it · ‎08-20-2019

Nareshinsvu, once an index is created and enabled on the Splunk cloud environment, how do we ensure that data pushed from our Heavy Forwarder is sent directly into the index we created and enabled?

nareshinsvu · ‎08-20-2019

You should probably raise a Support ticket for your data integrity and security related queries. As per their docs,

Data Segregation for Splunk Cloud
Splunk Cloud deployments run in a secured environment, and your data exists on virtually dedicated servers to ensure it remains isolated from other customers’ data.

jsmorgan1it · ‎08-20-2019

My question was unrelated to data integrity and security but rather, once an index is created how do we ensure data from the Heavy Forwarder pushes the data collected into the index we establish on the Splunk Cloud. Do you know the answer to this?

jsmorgan1it · ‎08-20-2019

I would think somewhere on the Heavy Forwarder you will have to specify where (what index name) you want the data to reside in once pushed to the Splunk Cloud, no?

nareshinsvu · ‎08-20-2019

Do go through the conf files involved in Data forwarding before jumping into your environment.

outputs.conf - Indexer discovery etc happens here
inputs.conf - target index, source and sourcetype to be defined here
props.conf & transforms.conf - Filter and extractions of your data to be defined here.

jsmorgan1it · ‎08-20-2019

That's it! Thank you.

realhippo33 · ‎08-20-2019

Sounds like you didn't install the forwarder app you can download from your Splunk Cloud instance. It will have all the right settings and certificates to send data to Splunk Cloud.

Splunk Heavy Fowarder to Splunk Cloud using DB connect

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!