Getting Data In

Configuring Splunk OTel Collector for Linux/Windows Log Collection (Splunk Cloud/Enterprise)

jthurston
Splunk Employee
Splunk Employee

As you may know, the Splunk OTel Collector can collect logs from Kubernetes and send them into Splunk Cloud/Enterprise using the Splunk OTel Collector chart distribution. However, you can also use the Splunk OTel Collector to collect logs from Windows or Linux Hosts and send those logs directly to Splunk Enterprise/Cloud as well. However this information isn't easily found from the documentation as it appears the standalone (non Helm Chart) distribution of the OTel Collector can only be used for Splunk Observability. In the below instructions, I will show you how to install the Collector even if you have don't have an Splunk Observability (O11y) subscription.

In terms of compatibility, the Splunk OTel Collector is supported on the following Operating Systems:

  • Amazon Linux: 2, 2023. Log collection with Fluentd is not currently supported for Amazon Linux 2023.

  • CentOS, Red Hat, or Oracle: 7, 8, 9

  • Debian: 9, 10, 11

  • SUSE: 12, 15 for version 0.34.0 or higher. Log collection with Fluentd is not currently supported.

  • Ubuntu: 16.04, 18.04, 20.04, 22.04, and 24.04

  • Rocky Linux: 8, 9

  • Windows 10 Pro and Home, Windows Server 2016, 2019, 2022

Once you have confirmed that your Operating System is compatible, please use these instructions to install the Splunk OTel Collector:

First, use sudo to export the following variable. This variable will be referenced by the Collector and will verify that you aren't installing the Collector for Observability where an Access Token needs to be specified:

 

 

sudo export VERIFY_ACCESS_TOKEN=false

 

 

 
Once you have confirmed that your Operating System is compatible, please use these instructions to install the Splunk OTel Collector (in this example we are going to use curl but there are other installation methods that can be found here).

 

 

curl -sSL https://dl.signalfx.com/splunk-otel-collector.sh > /tmp/splunk-otel-collector.sh;
sh /tmp/splunk-otel-collector.sh --hec-token <token> --hec-url <hec_url> --insecure true​

 

You may notice we modify the installation script from the original instructions, we specify the HEC Token and HEC Url of the Splunk Instance you want to send your logs to. Please note that both the HEC Token and HEC Url are required fields to specify for the installation to work correctly. 

Your installer should then install and start sending logs over to Splunk Instance (assuming your network allows the traffic out) automatically; if you want to know what log ingestion methods are configured out of the box please see the default pipeline for the OTeL Collector as specified here.

What if you want your Splunk OTel Collector to send logs to Enterprise/Cloud and you also want to send metrics or traces to Splunk Observability? 


If you are in the situation above, then you can modify the installation script we suggest above to include your O11y realm and Access Token in addition to your HEC Url and HEC Token like this:

 

curl -sSL https://dl.signalfx.com/splunk-otel-collector.sh > /tmp/splunk-otel-collector.sh;
sh /tmp/splunk-otel-collector.sh --realm <o11y_realm> --hec-token <token> --hec-url <hec_url> --insecure true -- <ACCESS_TOKEN>​

 

 

Please note the Access Token always follows the blank -- template and should always be placed at the end of your installer script for best practice.

Labels (3)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...