Getting Data In

How do I send my own data into a Splunk Cloud Sandbox Trial?

Splunk Employee
Splunk Employee

How do you send data from a forwarder into a Splunk Cloud Sandbox trial environment?

1 Solution

Splunk Employee
Splunk Employee

Note as for Jan 31 this is no longer valid.

Use this instead: http://answers.splunk.com/answers/214420/how-do-i-setup-a-splunk-cloud-trial-sandbox-forwar.html#ans...

You can send data into your Splunk Cloud via forwarder by doing the following:

  • From the Splunk UI, login as Admin
  • Under Settings » Forwarding and receiving, Enable port 9997 from Splunk's UI in your Sandbox instance
  • On your forwarder, you set the outputs to input-.splunk6.splunktrial.com

for example I used in my outputs.conf file /opt/splunkforwarder/etc/apps/system/local/outputs.conf

[tcpout]
defaultGroup = sandbox

[tcpout:sandbox]
server =  input-khourihan-sje-0.splunk6.splunktrial.com:9997

You can find your instance name by going to https://www.splunk.com/getsplunk/cloudtrial and logging into Splunk.com. You can see your Sandbox name there.

alt text

  • Then, if you haven't done so already, configure your inputs.
  • Restart your Splunk on your forwarder

More references:

https://www.splunk.com/view/SP-CAAAM3U

I already have a Splunk instance or a
Splunk forwarder. How can I send data
from my existing Splunk instance to my
Splunk Online Sandbox? You can send
data from a Splunk forwarder to your
Splunk Online Sandbox using the domain
name for your sandbox's Splunk Web. To
send data directly to your Splunk
Online Sandbox, prefix the domain name
with "input-". For example, if the url
for your Splunk Online Sandbox is
https://username.splunktrial.com,
forward your data to
input-username.splunktrial.com.

View solution in original post

Explorer

This process has been greatly simplified in recent weeks.
You can now download an app which you can install into a universal forwarder from the sandbox instance itself.

After logging into your instance, click on the "Universal Forwarder" app from the launcher page.
From the subsequent page you can download the app and follow the instructions to install it into a universal forwarder.

Also,
The answers given above were valid at the time of writing but recently we secured all data inputs with a unique SSL certificate and key for each instance so you cannot just manually add the config files and make it work anymore. You have to download the universal forwarder app which has the required credentials embedded.

Splunk Employee
Splunk Employee

If you switch to the preconfigured forwarder app, you should remove all the manual forwarding you may have done before (like the outputs.conf in $SPLUNK_HOME/etc/system/local).

Remarks :
- no need to setup the forwarding using the installer option on windows (skip the step), or the Command line and install options.
- You still need to create inputs for your events, but can look at the data in index=_internal and splunkd.log to check.

0 Karma

Splunk Employee
Splunk Employee

Note as for Jan 31 this is no longer valid.

Use this instead: http://answers.splunk.com/answers/214420/how-do-i-setup-a-splunk-cloud-trial-sandbox-forwar.html#ans...

You can send data into your Splunk Cloud via forwarder by doing the following:

  • From the Splunk UI, login as Admin
  • Under Settings » Forwarding and receiving, Enable port 9997 from Splunk's UI in your Sandbox instance
  • On your forwarder, you set the outputs to input-.splunk6.splunktrial.com

for example I used in my outputs.conf file /opt/splunkforwarder/etc/apps/system/local/outputs.conf

[tcpout]
defaultGroup = sandbox

[tcpout:sandbox]
server =  input-khourihan-sje-0.splunk6.splunktrial.com:9997

You can find your instance name by going to https://www.splunk.com/getsplunk/cloudtrial and logging into Splunk.com. You can see your Sandbox name there.

alt text

  • Then, if you haven't done so already, configure your inputs.
  • Restart your Splunk on your forwarder

More references:

https://www.splunk.com/view/SP-CAAAM3U

I already have a Splunk instance or a
Splunk forwarder. How can I send data
from my existing Splunk instance to my
Splunk Online Sandbox? You can send
data from a Splunk forwarder to your
Splunk Online Sandbox using the domain
name for your sandbox's Splunk Web. To
send data directly to your Splunk
Online Sandbox, prefix the domain name
with "input-". For example, if the url
for your Splunk Online Sandbox is
https://username.splunktrial.com,
forward your data to
input-username.splunktrial.com.

View solution in original post

Splunk Employee
Splunk Employee

Hi Raghu,

If I read your server name correctly (and note everyone else can see it)

Try this

[tcpout]
defaultGroup = default-autolb-group,sandbox

[tcpout:default-autolb-group]
disabled = false
server = cdcxvt0765.conway.prod.con-way.com:9997

[tcpout:sandbox]
disabled = false
server = input-XXXXXXXXX.splunk6.splunktrial.com:9997

0 Karma

Explorer

Thanks for giving setting and sorry about the font, it was unintentional 🙂

I tried the settings and still no result.

Q - for
[tcpout:splunk_cloud]
disabled = false
server = ?
Did you get the server name from "Splunk server name" in the general settings ?

Raghu

0 Karma

Splunk Employee
Splunk Employee

@Raghu,

Try following this format: (use a comma not two entries)

[tcpout]
defaultGroup = splunk_cloud,sandbox

[tcpout:splunk_cloud]
disabled = false
server = i1.blah.splunkcloud.com:9997,i2.blah.splunkcloud.com:9997,i3.blah.splunkcloud.com:9997

[tcpout:sandbox]
disabled = false
server = input-khourihansplunk-blah.splunk6.splunktrial.com:9997

PS those fonts you used are awesome!

0 Karma

Explorer

ok then thats exactly the one I had changed. But it did not work

[satibsvc@cdcxvt0765 local]$ cat outputs.conf
[tcpout]

defaultGroup = default-autolb-group

defaultGroup = sandbox

[tcpout:default-autolb-group]

server = cdcxvt0765.conway.prod.con-way.com:9997

[tcpout-server://cdcxvt0765.conway.prod.con-way.com:9997]

[tcpout:sandbox]
server = input-XXXXXXXXX.splunk6.splunktrial.com:9997
[satibsvc@cdcxvt0765 local]$ pwd
/opt/eicoe/splunkforwarder/etc/system/local
[satibsvc@cdcxvt0765 local]$

0 Karma

Splunk Employee
Splunk Employee

@Raghu, you make the modification to ./splunkforwarder/etc/system/local/outputs.conf

afterwards don't forget to restart your forwarder.

0 Karma

Explorer

OR
Can I change a different output.conf. Other output.conf available are

./splunk/etc/modules/distributedDeployment/classes/deployable/outputs.conf
./splunk/etc/system/default/outputs.conf
./splunk/etc/apps/SplunkLightForwarder/default/outputs.conf
./splunk/etc/apps/SplunkForwarder/default/outputs.conf
./splunkforwarder/etc/system/local/outputs.conf
./splunkforwarder/etc/system/default/outputs.conf
./splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf

OR
something else ??

Please advice ?

Raghu

0 Karma

Explorer

When I installed the splunk forwarder in Unix I did not see the folder local under /opt/splunkforwarder/etc/apps/search/
So does this mean I have the wrong install? I installed splunkforwarder-6.1.2-213098-Linux-x86_64.gz
OR
Does does this mean I missed a configuration step?

0 Karma

Splunk Employee
Splunk Employee

edited the answer for you

0 Karma

Splunk Employee
Splunk Employee

The hostname in your forwarder outputs.conf file must be prefixed with input-, i.e., you take the sandbox web interface hostname and prefix input- to the front, e.g., your example about should use input-khourihan-sje-0.splunk6.splunktrial.com:9997 instead of khourihan-sje-0.splunk6.splunktrial.com:9997.