I'm using a Splunk Enterprise on my own server. Recently we have played with the idea of moving to "Splunk Light" cloud service and I'm trying to configure a test environment on the "Splunk Light" cloud, and I have some difficulties.
Originally, I'm sending data from my application servers to my Splunk server via a TCP port to the Splunk server IP (without Forwarder). Where can I find the IP or FQDN of the "Splunk Light" to send the data to? I cannot find it anywhere.
In my current Splunk server, I use TCP Local Data Inputs. In "Splunk Light" cloud TCP Local Data is not listed as an option for Local TCP Data Inputs. So, where should I add the port listener?
I need to filter out some data I receive. In my own Splunk server I'm using "transforms.conf" and "props.conf" files. How do I access these files in the "Splunk Light" service, or alternatively, is there a way to filter out data from the "Splunk Light" management board?
Thanks for your help.
Let's talk about #2. On Cloud Service, creating local TCP inputs is not supported, for the security compliance reasons.
For #1, I am assuming that you are sending data to a local TCP input port, and hence that's not going to work (as per my comment above)
For #3, have you looked at defining transforms via UI? Some of the configurations can be done via UI form the Knowledge -> Fields menu options. Please let us know if you can update all necessary settings via UI.
When using Cloud service, Universal forwarders is the primary way to send data to cloud service. You can find information about that here: http://docs.splunk.com/Documentation/SplunkLight/6.3.3/Cloud/ForwarddatatoSplunkLightcloudservice.
Another option for you to consider is sending data via HTTP Inputs, which are fully supported in Splunk Light Cloud service, if you do not want to use forwarders.
There is always and option to install heavyweight forwarder on your network, which can open Local TCP inputs to receive data, and then forward to the cloud service (using the same process described in the link above)
Hope this helps.
Thank you DJ,
Yes, your information was useful.
Can you say if there is a way to import our existing dashboards, reports and alerts to Splunk Light?
I did not find any way. Is there a hidden way I can import them?
Also, we currently use HTTP inputs from our other clients via HTTPS with our own SSL certificate.
Is there a possibility to use our own SSL cert in Splunk light or cloud?
If not, what are our options for a reasonable solution to work with HTTPS?
I am not aware of any way to import existing dashboards/reports/alerts to Splunk Light cloud instance.
That sounds like a darn good enhancement request to Splunk Light.
Splunk Light Cloud service only supports HTTPS for HTTP Event collector. I don't think there is a way to use custom certs on Splunk Light Cloud. I strongly suggest you use heavyweight forwarder as a intermediate node for your existing sources to send data to, and heavyweight forwarder sends data to the cloud service.
Hope this helps.