Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk qroc integration

Nilkanth
New Member
‎01-12-2019 08:03 AM

Hello Guys,

We are using splunk as log collector only and via heavy forwarder we are receiving logs on Qroc (Qradra cloud version) with one LB in between.now the problem is none of the data is getting parsed at Qroc end.
for all logs we are getting only Datagateway IP as device address.
so my questions is does Splunk support as kind of integration.does splunk modify original log format.is there any way we can solve this mess

0 Karma
Reply

lakshman239
Influencer
‎01-15-2019 07:15 AM

Yes, splunk supports 3rd party integration. If you are using Splunk HF as just forwarder, you need to follow the steps below to configure it [ you will need to provide the LB ip as receiver]
https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Forwarddatatothird-partysystemsd

Once the data hits the LB (raw data), it will then go to any other SIEM platform, which should have appropriate add-ons/apps/plug-in/transforms/adapters to extract required fields from the raw data to match your use case.

0 Karma
Reply

nikita_p
Contributor
‎01-15-2019 04:21 AM

Hi,
If you are using F5 to deploy this configuration, then there is a splunk app for F5 Analytics(new) which helps to send data to splunk via HEC or if you don't don't to use HEC and monitor via port then there is another add-on for splunk F5.

0 Karma
Reply

nikita_p
Contributor
‎01-15-2019 04:25 AM

You can go through both the documentations on Splunk. PFB the same
https://splunkbase.splunk.com/app/3161/

https://splunkbase.splunk.com/app/2680/

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2019 12:27 PM

What are your props.conf settings for the Qroc sourcetype?

Unrelated to your problem, but still important: How many heavy forwarders are you using? Why do you need a load balancer? What kind of load balancer are you using?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Nilkanth
New Member
‎01-12-2019 01:07 PM

Hi richgalloway,

thank you for your comment, i will check props.conf when i am back to office on monday.
there are 2 heavy forwaders.
The IBM Q Radar is hosted in the IBM managed SaaS cloud
All the logs collected by Splunk from Various log sources forwarded to QRadar
Splunk configured to send all logs in the raw data(_raw) format to the data gateway of qradar.
The data transmission will be via the output from a query run every minute. This query output all new data received in that time period.
and a A load balancer f5 deployed to set up this configuration.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...