Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fetching logs from Elasticsearch

Mojal
Engager
‎08-14-2024 02:50 AM

Hi,

I have an Elastic DB that receive logs from various services directly and I want to send these logs to Splunk Enterprise.
Is there any documentation about install instruction of the Elasticsearch Data Integrator?
I couldn't  config it to make it work and I don't find any documentation on how to install and configure this add-on.

Please help me with that.@larmesto 

Kind Regards,
Mohammad

Labels (2)
Labels
0 Karma
Reply

Mojal
Engager
‎08-17-2024 11:39 PM

Thank you for your help @marnall 

You are correct, I did enter my elastic search information in the app but it did not pull any data.

When I go thorough _Internal logs, I see some error logs that contains users like proxy and root, but I dont have any of this users in my configs nor in my database credentials and also I didnt active the proxy option in the Elasticsearch Data Integrator add-on.

Mojal_0-1723963099792.png

 

I could mention that I can connect to elastic database via curl from splunk server which means the connection is open.

0 Karma
Reply

canoop
New Member
‎08-27-2024 03:11 PM

Hi @Mojal  @marnall 

I am facing the same issue with my Splunk Cluster. Were y'all able to find any workarounds/solutions?

Screenshot 2024-08-27 at 6.10.30 PM.png

Screenshot 2024-08-27 at 6.08.27 PM.png

P.S: I have deployed the splunk cluster via splunk-operator in my kubernetes environment.

0 Karma
Reply

marnall
Motivator
‎08-18-2024 01:26 AM

As a test, does the app still complain when you add a filler proxy user+password combination in the settings?

There is also a different app that is often suggested for the use case of searching Elasticsearch data from Splunk. If it is not strictly necessary for you to migrate the data from Elasticsearch into Splunk, then this may be an option: https://github.com/brunotm/elasticsplunk

0 Karma
Reply

Mojal
Engager
‎08-18-2024 05:46 AM

Yes, still it does generate proxy logs even when fill fake settings.

Mojal_0-1723985020301.png

 

The problem with those apps you mentioned is that they dont support authentication.

My Elasticsearch database is protected by authentication.

0 Karma
Reply

marnall
Motivator
‎08-14-2024 01:35 PM

Are you able to find working values for the inputs of the app? It seems like you can enter in your Elasticsearch domain name, port, user, secret, interval, etc, then theoretically it should pull data from your elasticsearch instance.

If you enter in the values but it does not work, then you could try searching your _internal index for keywords like "elasticsearch" to see if the app generates any errors that would explain why it is not pulling data from your elasticsearch instance.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...