- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Cloudflare logs to Heavy Forwarder - Pipeline data...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to send my cloudflare HTTP logs to my externally exposed splunk heavy forwarder (on prem).
I have installed the Cloudflare App on the heavy forwarder and the searchead:
https://splunkbase.splunk.com/app/4501/#/details
I know the data is making it to my heavy forwarder that has the application installed. However, the data isn't being correctly ingested. I am finding this type of log on my _internal index on my forwarder, and it appears to be for each event that cloudflare has sent to my forwarder. I have rebooted the forwarder since adding the application:
09-15-2022 10:16:22.804 -0400 WARN TcpOutputProc [5288 indexerPipe] - Pipeline data does not have indexKey. [_hecTeleVersionKey] = default\n[_hecTeleAppKey] = default\n[_raw] = \n[_meta] = punct::\n[MetaData:Source] = source::http:Cloudflare5xx\n[MetaData:Host] = host::readactedhost.com\n[MetaData:Sourcetype] = sourcetype::cloudflare:json\n[_done] = _done\n[_linebreaker] = _linebreaker\n[_time] = 1663251382\n[_conf] = source::http:Cloudflare5xx|host::readactedhost.com|cloudflare:json|\n
My HEC token is configured as:
[http://Cloudflare5xx]
description = Used to get cloudflare logs into splunk for server 5xx errors
disabled = 0
indexes = cloudflare
token = 7xxxxxxxx
I am stumped what "Pipeline data does not have indexKey" means and cannot find a next step. If the logs are being sent, and making it to the forwarder, are there more steps than having the application there to interpret the information sent to the services/collector/raw endpoint? I have never ingested on the /raw endpoint before so I wonder if something is missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This error was because I was sending information to the /raw endpoint on my HTTP Event Collector. With this endpoint the HEC inputs.conf must be specifying the particular index to load the raw events into. I mistakenly thought that the Cloudflare app would do this for me with props.conf, it has an index defined within the app, but this was incorrect. With the other HEC endpoint the event specifies the index ITSELF so the learning was the raw endpoint requires more information in the HEC inputs.conf. I also needed to tweak the cloudflare app's TZ (UTC) , INDEXED_EXTRACTIONS (json), and KV_MODE (none) in the applications props.conf to properly ingest once they were being placed on the index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This error was because I was sending information to the /raw endpoint on my HTTP Event Collector. With this endpoint the HEC inputs.conf must be specifying the particular index to load the raw events into. I mistakenly thought that the Cloudflare app would do this for me with props.conf, it has an index defined within the app, but this was incorrect. With the other HEC endpoint the event specifies the index ITSELF so the learning was the raw endpoint requires more information in the HEC inputs.conf. I also needed to tweak the cloudflare app's TZ (UTC) , INDEXED_EXTRACTIONS (json), and KV_MODE (none) in the applications props.conf to properly ingest once they were being placed on the index.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
