Getting Data In
Highlighted

Steps to setup splunk forwarder for splunk in the cloud

Explorer

Can you please provide the steps to configure splunk forwarder to talk to a splunk web instance in the cloud?

Highlighted

Re: Steps to setup splunk forwarder for splunk in the cloud

Community Manager
Community Manager

Hi @raghunand

When you sign up for Splunk Cloud, you receive an email with instructions for logging in to your Cloud account. You also receive an app for your forwarder which is unique to you and helps you to configure your forwarder to send data to your Cloud deployment as shown on the Cloud documentation http://docs.splunk.com/Documentation/SplunkCloud/latest/User/GetstartedwithSplunkCloud

View solution in original post

Highlighted

Re: Steps to setup splunk forwarder for splunk in the cloud

Explorer

According to step 3

"3. To help configure your forwarder, we've provided an app. Your app is unique to you. Unzip the attached file and move the entire unzipped directory into your forwarder app directory, /opt/splunkforwarder/etc/apps"

Where do I actually find this app? online in the App List? Does it get emailed?

0 Karma
Highlighted

Re: Steps to setup splunk forwarder for splunk in the cloud

Community Manager
Community Manager

Hi @raghunand

So when you become a Splunk Cloud customer, you get a "Getting Started" email that has both your Cloud account login instructions and the forwarder app. The top of that page you're reading says to contact sales@splunk.com to sign up for Splunk Cloud. Only then will you receive an email with everything you need. Have you done that first step yet? 🙂

Highlighted

Re: Steps to setup splunk forwarder for splunk in the cloud

Super Champion

I have to second what ppablo says: the page you are quoting from the documentation contains the complete answer to the question you asked. The top of that page explains: (1) When you sign up, you will receive a getting started email from your sales rep, and (2) the email will contain login instructions and the forwarder app. Then, the sentence that you quote says that the forwarder app is a file attached to that email. So that's where it is. From there, see the "CLI commands for input" topic, then restart your forwarder.

Highlighted

Re: Steps to setup splunk forwarder for splunk in the cloud

Contributor

What's written above is true for Splunk Cloud. However, its presently different than the online sandbox. The online sandbox is not a full featured version of Splunk, there are limitations:

5 GB /day 15 day retention
5/GB Day License
28 GB total disk space
GUI Only no CLI
Open ports 443 and 9997

Whats new in the sandbox:
Splunk Tutorial
Drag and Drop inputs
Additional source types (27)

Whats not there:

No new inputs
No CLI, no ssh
Limited email alerts (2 per minute)
No API or SDK

There is no configuration app for the Sandbox. If you want to use a forwarder to send data into Splunk Cloud Sandbox, please follow these instructions:

http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

,There is presently a difference between Splunk Cloud and Splunk Sandbox (free 2 week trial). Whats written about the "forwarder app" above is applicable to Splunk Cloud.

To get data into the Sandbox from the forwarder, you will not get a config app, you have to make the changes yourself. See this article on how to get data into the Sandbox.

http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

Highlighted

Re: Steps to setup splunk forwarder for splunk in the cloud

Ultra Champion

Here is an example of how to setup the credentials to send data to your Splunkcloud deployment

Prerequisite :

  • install a forwarder on your server (linux or windows), and start it
  • retrieve the "Splunk Cloud Universal Forwarder app" forwarder credential app (from the splunkcloud search-head in the splnukclouduf "universal forwarder" UI app)

The file is a SPL file 100mydeploymentnamesplunkcloud.spl
but if you want to rename it tar.gz you can untar it and check the content. (a default folder, a readme, maybe a cert folder in older versions)

Remark :

  • Make sure that you didn't already tried to setup your forwarding destination, at install time, or using the CLI, or the MSI installer. Otherwise, check for your local/outputs.conf, and remove the ones that were populates in the local folders.

To install the credentials :

  • if you are doing the install on the command line, use the splunk app install command with splunk running.
    go to the splunk folder in the bin folder
    splunk app install "path\to\100mydeploymentnamesplunkcloud.spl"
    If you are using the default credentials, the user is "admin", the password "changeme"

  • if you want to use a third party deployment tool (chef, etc...)
    untar the 100mydeploymentnamesplunkcloud.spl and push it to your forwarders in the apps folder
    $SPLUNKHOME\etc\apps\
    you want at the end something like
    $SPLUNK
    HOME\etc\apps\100mydeploymentnamesplunkcloud with the default folder inside

  • if you want to use a splunk deployment server :
    Make sure that you already have a license to enable the deployment server.
    And make sure that your forwarders are all deployment-clients of this instance.
    Then untar the app in the deployment server special folder deployment-apps
    $SPLUNKHOME\etc\deployment-apps\100mydeploymentname_splunkcloud with the default folder inside
    And use the UI manager or the serverclass.conf to define your classes and on which forwarder deploy which app.

Highlighted

Re: Steps to setup splunk forwarder for splunk in the cloud

Engager

my company signed up for cloud. but that was months ago. now i'm doing a new server. so any 'email' that someone might have gotten is gone.

so if you would kindly FIX the docs page https://frustratedcustomer.splunkcloud.com/en-US/app/splunkclouduf/setupuf

where the links are BROKEN, that might make it easier to perform these steps...

next this statement.

"Make sure that you didn't already tried to setup your forwarding destination, at install time, or using the CLI, or the MSI installer.

Otherwise, check for your local/outputs.conf, and remove the ones that were populates in the local folders."

is just confusing. the instrux at the link said to run the MSI

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.