Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can anyone explain me how to on board data in Splu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone explain me how to on board data in Splunk cloud
I am hired in an organization as a Splunk architect, and I need to start with onboading data. I don't know much about onboarding data. I had gone through getting data in docs but that is not helpful to deal in real time.
Totally confused about field extraction and stuff, do I need to deal with that if it data getting in is JSON?
Can anyone please share your onboarding knowledge with me.
splunk learner.
Richah.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ricah,
This really depends on where the data is coming from, what format its in, if its already parsed (e.g. sent via HEC) etc. There may be existing Splunk apps for the data if its a common log type (e.g. AWS logs, PaloAlto logs, Nessus, Windows/Linux logs etc) - Check https://splunkbase.splunk.com/ for suitable apps and install them on your stack as these will help you out.
I'd always recommend testing locally first if this is possible - either a development stack, internal on-premise dev instance or even a docker container or local install.
Have you done the Splunk Architect training courses? I believe Data Administration is a key part of the admin / architect training (https://www.splunk.com/en_us/training/course-catalog.html?sort=Newest&filters=filterGroup2SplunkEnte...) so might be worth getting yourself up to speed if you havent already done so.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello please I asked an important question but it is yet to reflect on the activity for people to see it and give me a solution, although I am New, I also checked my profile I saw 2 posts there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Data is coming from AWS using Splunk add-on for AWS. We are getting that in JSON format. And collecting only operational data. So, in Splunk add-on for AWS, in inputs section, do we use direct cloud watch input OR do we go to custom and select cloudwatch logs in there?
we don't have any UF or HF, I'm using Splunk add-on for AWS to get the data in. And getting JSON data. Not sure how all field extractions and all work, do we even need to perform that if we are getting json data??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richah ,
I don't know how deeply you know Splunk.
Anyway, here, you can find the ways to ingest data in Splunk , without regard using Splunk Enterprise or Splunk Cloud.
here you can find detailed instructions:
You must ingest all data from your on-premise data sources using Universal Forwarders or syslog or HEC receivers and then concentrate all logs in at least one (or better two) Heavy Forwarder to use as concentrators that forwards logs to Splunk Cloud.
You can find the architecture to implement at https://help.splunk.com/en/splunk-cloud-platform/splunk-validated-architectures/introduction-to-splu...
About field extractions, you must continue to use the normal add-ons, having the only attention to check if they are certificed for Splunk Cloud.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello , thank you for the response. I have multiple AWS account's and it's SAAS, how do I connect all my AWS accounts to this splunk cloud?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richah ,
you have to use Data Manager on Splunk Cloud, or, if you prefer, Splunk TA_AWS.
In these technical add-ons, you have to configure more connections, one for each account and then one or more inputs for each connection, following the instructions on the documentation of the Technical add-on that you will use.
One additional hint: remember to have near you someone with a deep knowledge of AWS configuration because, Splunk configuration is easy, instead the steps on AWS aren't so easy if you don't know very well this environment.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello THanks for response but we dont have data manager, in our splunk cloud. Already tried that, and splunk team can't provide any info to do assumerole. Any alternative to onboard data from AWS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richah ,
you can install Data Manager in your Splunk Cloud Instance and I hint to do this because this app has a very user friendly interface to configure inputs.
Anyway, you can use the AWS add-on.
Ciao.
Giuseppe
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
