Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fetching logs from Elasticsearch

Mojal
Engager
‎08-14-2024 02:50 AM

Hi,

I have an Elastic DB that receive logs from various services directly and I want to send these logs to Splunk Enterprise.
Is there any documentation about install instruction of the Elasticsearch Data Integrator?
I couldn't  config it to make it work and I don't find any documentation on how to install and configure this add-on.

Please help me with that.@larmesto 

Kind Regards,
Mohammad

Labels (2)
Labels
0 Karma
Reply

Mojal
Engager
‎08-17-2024 11:39 PM

Thank you for your help @marnall 

You are correct, I did enter my elastic search information in the app but it did not pull any data.

When I go thorough _Internal logs, I see some error logs that contains users like proxy and root, but I dont have any of this users in my configs nor in my database credentials and also I didnt active the proxy option in the Elasticsearch Data Integrator add-on.

Mojal_0-1723963099792.png

 

I could mention that I can connect to elastic database via curl from splunk server which means the connection is open.

0 Karma
Reply

canoop
New Member
‎08-27-2024 03:11 PM

Hi @Mojal  @marnall 

I am facing the same issue with my Splunk Cluster. Were y'all able to find any workarounds/solutions?

Screenshot 2024-08-27 at 6.10.30 PM.png

Screenshot 2024-08-27 at 6.08.27 PM.png

P.S: I have deployed the splunk cluster via splunk-operator in my kubernetes environment.

0 Karma
Reply

marnall
Motivator
‎08-18-2024 01:26 AM

As a test, does the app still complain when you add a filler proxy user+password combination in the settings?

There is also a different app that is often suggested for the use case of searching Elasticsearch data from Splunk. If it is not strictly necessary for you to migrate the data from Elasticsearch into Splunk, then this may be an option: https://github.com/brunotm/elasticsplunk

0 Karma
Reply

Mojal
Engager
‎08-18-2024 05:46 AM

Yes, still it does generate proxy logs even when fill fake settings.

Mojal_0-1723985020301.png

 

The problem with those apps you mentioned is that they dont support authentication.

My Elasticsearch database is protected by authentication.

0 Karma
Reply

marnall
Motivator
‎08-14-2024 01:35 PM

Are you able to find working values for the inputs of the app? It seems like you can enter in your Elasticsearch domain name, port, user, secret, interval, etc, then theoretically it should pull data from your elasticsearch instance.

If you enter in the values but it does not work, then you could try searching your _internal index for keywords like "elasticsearch" to see if the app generates any errors that would explain why it is not pulling data from your elasticsearch instance.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...
li.common.scroll-to.top