Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk qroc integration

Nilkanth
New Member
‎01-12-2019 08:03 AM

Hello Guys,

We are using splunk as log collector only and via heavy forwarder we are receiving logs on Qroc (Qradra cloud version) with one LB in between.now the problem is none of the data is getting parsed at Qroc end.
for all logs we are getting only Datagateway IP as device address.
so my questions is does Splunk support as kind of integration.does splunk modify original log format.is there any way we can solve this mess

0 Karma
Reply

lakshman239
Influencer
‎01-15-2019 07:15 AM

Yes, splunk supports 3rd party integration. If you are using Splunk HF as just forwarder, you need to follow the steps below to configure it [ you will need to provide the LB ip as receiver]
https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Forwarddatatothird-partysystemsd

Once the data hits the LB (raw data), it will then go to any other SIEM platform, which should have appropriate add-ons/apps/plug-in/transforms/adapters to extract required fields from the raw data to match your use case.

0 Karma
Reply

nikita_p
Contributor
‎01-15-2019 04:21 AM

Hi,
If you are using F5 to deploy this configuration, then there is a splunk app for F5 Analytics(new) which helps to send data to splunk via HEC or if you don't don't to use HEC and monitor via port then there is another add-on for splunk F5.

0 Karma
Reply

nikita_p
Contributor
‎01-15-2019 04:25 AM

You can go through both the documentations on Splunk. PFB the same
https://splunkbase.splunk.com/app/3161/

https://splunkbase.splunk.com/app/2680/

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2019 12:27 PM

What are your props.conf settings for the Qroc sourcetype?

Unrelated to your problem, but still important: How many heavy forwarders are you using? Why do you need a load balancer? What kind of load balancer are you using?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Nilkanth
New Member
‎01-12-2019 01:07 PM

Hi richgalloway,

thank you for your comment, i will check props.conf when i am back to office on monday.
there are 2 heavy forwaders.
The IBM Q Radar is hosted in the IBM managed SaaS cloud
All the logs collected by Splunk from Various log sources forwarded to QRadar
Splunk configured to send all logs in the raw data(_raw) format to the data gateway of qradar.
The data transmission will be via the output from a query run every minute. This query output all new data received in that time period.
and a A load balancer f5 deployed to set up this configuration.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...