Getting Data In

Steps to setup splunk forwarder for splunk in the cloud

raghunand
Explorer

Can you please provide the steps to configure splunk forwarder to talk to a splunk web instance in the cloud?

1 Solution

ppablo
Retired

Hi @raghunand

When you sign up for Splunk Cloud, you receive an email with instructions for logging in to your Cloud account. You also receive an app for your forwarder which is unique to you and helps you to configure your forwarder to send data to your Cloud deployment as shown on the Cloud documentation http://docs.splunk.com/Documentation/SplunkCloud/latest/User/GetstartedwithSplunkCloud

View solution in original post

dguimbellot
Engager

my company signed up for cloud. but that was months ago. now i'm doing a new server. so any 'email' that someone might have gotten is gone.

so if you would kindly FIX the docs page https://frustratedcustomer.splunkcloud.com/en-US/app/splunkclouduf/setupuf

where the links are BROKEN, that might make it easier to perform these steps...

next this statement.

"Make sure that you didn't already tried to setup your forwarding destination, at install time, or using the CLI, or the MSI installer.

Otherwise, check for your local/outputs.conf, and remove the ones that were populates in the local folders."

is just confusing. the instrux at the link said to run the MSI

yannK
Splunk Employee
Splunk Employee

Here is an example of how to setup the credentials to send data to your Splunkcloud deployment

Prerequisite :

  • install a forwarder on your server (linux or windows), and start it
  • retrieve the "Splunk Cloud Universal Forwarder app" forwarder credential app (from the splunkcloud search-head in the splnukclouduf "universal forwarder" UI app)

The file is a SPL file 100_mydeploymentname_splunkcloud.spl
but if you want to rename it tar.gz you can untar it and check the content. (a default folder, a readme, maybe a cert folder in older versions)

Remark :

  • Make sure that you didn't already tried to setup your forwarding destination, at install time, or using the CLI, or the MSI installer. Otherwise, check for your local/outputs.conf, and remove the ones that were populates in the local folders.

To install the credentials :

  • if you are doing the install on the command line, use the splunk app install command with splunk running.
    go to the splunk folder in the bin folder
    splunk app install "path\to\100_mydeploymentname_splunkcloud.spl"
    If you are using the default credentials, the user is "admin", the password "changeme"

  • if you want to use a third party deployment tool (chef, etc...)
    untar the 100_mydeploymentname_splunkcloud.spl and push it to your forwarders in the apps folder
    $SPLUNK_HOME\etc\apps\
    you want at the end something like
    $SPLUNK_HOME\etc\apps\100_mydeploymentname_splunkcloud with the default folder inside

  • if you want to use a splunk deployment server :
    Make sure that you already have a license to enable the deployment server.
    And make sure that your forwarders are all deployment-clients of this instance.
    Then untar the app in the deployment server special folder deployment-apps
    $SPLUNK_HOME\etc\deployment-apps\100_mydeploymentname_splunkcloud with the default folder inside
    And use the UI manager or the serverclass.conf to define your classes and on which forwarder deploy which app.

khourihan_splun
Splunk Employee
Splunk Employee

What's written above is true for Splunk Cloud. However, its presently different than the online sandbox. The online sandbox is not a full featured version of Splunk, there are limitations:

5 GB /day 15 day retention
5/GB Day License
28 GB total disk space
GUI Only no CLI
Open ports 443 and 9997

Whats new in the sandbox:
Splunk Tutorial
Drag and Drop inputs
Additional source types (27)

Whats not there:

No new inputs
No CLI, no ssh
Limited email alerts (2 per minute)
No API or SDK

There is no configuration app for the Sandbox. If you want to use a forwarder to send data into Splunk Cloud Sandbox, please follow these instructions:

http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

,There is presently a difference between Splunk Cloud and Splunk Sandbox (free 2 week trial). Whats written about the "forwarder app" above is applicable to Splunk Cloud.

To get data into the Sandbox from the forwarder, you will not get a config app, you have to make the changes yourself. See this article on how to get data into the Sandbox.

http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

ppablo
Retired

Hi @raghunand

When you sign up for Splunk Cloud, you receive an email with instructions for logging in to your Cloud account. You also receive an app for your forwarder which is unique to you and helps you to configure your forwarder to send data to your Cloud deployment as shown on the Cloud documentation http://docs.splunk.com/Documentation/SplunkCloud/latest/User/GetstartedwithSplunkCloud

ChrisG
Splunk Employee
Splunk Employee

I have to second what ppablo says: the page you are quoting from the documentation contains the complete answer to the question you asked. The top of that page explains: (1) When you sign up, you will receive a getting started email from your sales rep, and (2) the email will contain login instructions and the forwarder app. Then, the sentence that you quote says that the forwarder app is a file attached to that email. So that's where it is. From there, see the "CLI commands for input" topic, then restart your forwarder.

ppablo
Retired

Hi @raghunand

So when you become a Splunk Cloud customer, you get a "Getting Started" email that has both your Cloud account login instructions and the forwarder app. The top of that page you're reading says to contact sales@splunk.com to sign up for Splunk Cloud. Only then will you receive an email with everything you need. Have you done that first step yet? 🙂

raghunand
Explorer

According to step 3

"3. To help configure your forwarder, we've provided an app. Your app is unique to you. Unzip the attached file and move the entire unzipped directory into your forwarder app directory, /opt/splunkforwarder/etc/apps"

Where do I actually find this app? online in the App List? Does it get emailed?

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...