Getting Data In

Fetching logs from Elasticsearch

Mojal
Engager

Hi,

I have an Elastic DB that receive logs from various services directly and I want to send these logs to Splunk Enterprise.
Is there any documentation about install instruction of the Elasticsearch Data Integrator?
I couldn't  config it to make it work and I don't find any documentation on how to install and configure this add-on.

Please help me with that.@larmesto 

Kind Regards,
Mohammad

Labels (2)
0 Karma

Mojal
Engager

Thank you for your help @marnall 

You are correct, I did enter my elastic search information in the app but it did not pull any data.

When I go thorough _Internal logs, I see some error logs that contains users like proxy and root, but I dont have any of this users in my configs nor in my database credentials and also I didnt active the proxy option in the Elasticsearch Data Integrator add-on.

Mojal_0-1723963099792.png

 

I could mention that I can connect to elastic database via curl from splunk server which means the connection is open.

0 Karma

canoop
New Member

Hi @Mojal  @marnall 

I am facing the same issue with my Splunk Cluster. Were y'all able to find any workarounds/solutions?

Screenshot 2024-08-27 at 6.10.30 PM.png

Screenshot 2024-08-27 at 6.08.27 PM.png

P.S: I have deployed the splunk cluster via splunk-operator in my kubernetes environment.

0 Karma

marnall
Motivator

As a test, does the app still complain when you add a filler proxy user+password combination in the settings?

There is also a different app that is often suggested for the use case of searching Elasticsearch data from Splunk. If it is not strictly necessary for you to migrate the data from Elasticsearch into Splunk, then this may be an option: https://github.com/brunotm/elasticsplunk

0 Karma

Mojal
Engager

Yes, still it does generate proxy logs even when fill fake settings.

Mojal_0-1723985020301.png

 

The problem with those apps you mentioned is that they dont support authentication.

My Elasticsearch database is protected by authentication.

0 Karma

marnall
Motivator

Are you able to find working values for the inputs of the app? It seems like you can enter in your Elasticsearch domain name, port, user, secret, interval, etc, then theoretically it should pull data from your elasticsearch instance.

If you enter in the values but it does not work, then you could try searching your _internal index for keywords like "elasticsearch" to see if the app generates any errors that would explain why it is not pulling data from your elasticsearch instance.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...