Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What are the steps of ingesting data into Splunk cloud?

cyber22
Loves-to-Learn
‎02-09-2022 09:23 AM

Can someone walk me through the steps of ingesting data into splunk cloud. I have read the documentation but it gets confusing.

Labels (1)
Labels
0 Karma
Reply

shubham92
Loves-to-Learn
‎03-25-2022 11:25 AM

It totally depends on the log source you are dealing with.

Windows/Linux: Install UF, add Splunk Cloud Credential File. Edit input.conf file if you want to change the Index.

Firewall Logs: If you have a Syslog server in place, install a UF on it and redirect the logs from the Syslog folder to it. If you do not have a Syslog server, you can use a Heavy Forwarder configured as a Syslog Receiver.

Cloud-Based:  Check for supported apps. Most of them support API based integration, which is easy to do. Each app includes the steps to follow.

Let me know if you have any specific devices in question. I am no expert, but will definitely try to help you out.

 

0 Karma
Reply

moliminous
Path Finder
‎02-09-2022 04:29 PM

Each data source is different, but I noticed you tagged this for Windows so I'll post this guide:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2112/Admin/WindowsGDI#Overview

Essentially you login to the Splunk Cloud Search Head, download the Universal Forwarder app and you distribute that app to the /opt/splunkforwarder/etc/apps/ directory of the machines you want to send data to the Cloud.

Depending on your needs and network architecture, it could get more complicated, but that is the simple version.

So each Windows Server would need a Splunk UF (Universal Forwarder) and the Spunk Cloud UF app/ta/add-on (TA stands for Technical Add-on) to be able to send and collect data.

Each data source also needs a configuration telling it what data to collect.
This is often achieved by using a Splunk TA aka add-on on Splunkbase:
https://splunkbase.splunk.com/

You can download the Splunk UF here:
https://www.splunk.com/en_us/download/universal-forwarder.html

For larger environments, the UF and required addons are usually distributed via a Splunk Deployment Server.
Also, often data is sent through one or more Forwarders before Cloud to minimize firewall rules, or depending on your network architecture needs.

All data sources need to be able to send data via tcp/9997 to Splunk Cloud.

So the breakdown of steps is:

  1. Create an index on Splunk Cloud to receive your data
  2. Download the Cloud TA (called Cloud Universal Forwarder) from Splunk Cloud Search Head
  3. Install a UF and the Cloud TA onto your data source
    1. The Cloud TA needs to be untar'd to /opt/splunkforwarder/etc/apps/
    2. Or it can be distributed via Splunk Deployment Server
  4. Install one or more add-ons aka TAs to /opt/splunkforwarder/etc/apps/
  5. Configure and enable one or more 'inputs' or data to send by editing the inputs.conf within each TA/add-on
    1. There is usually a template inputs.conf in the default folder of each add-on.
    2. Create a /local folder (same level as /default) in each TA and copy that inputs.conf in there
    3. Edit it and enable one or more inputs to send data to Splunk

There actually is an 'outputs.conf' but the Splunk Cloud TA/UF handles that to securely send to Splunk Cloud.

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-09-2022 10:16 AM

Given there is a fair amount of documentation on the topic, it's not reasonable to expect full coverage of it here.  Specific questions are more likely to get helpful answers.

There are many ways to get data into Splunk Cloud and which one to use will depend on the data source, your Splunk Cloud "experience",  and other factors.  Tell us more about what data want to ingest and we should be able to offer some tips on how to do it.

---
If this reply helps you, Karma would be appreciated.
Reply

cyber22
Loves-to-Learn
‎02-09-2022 10:26 AM

firewall/network

windows logs

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-09-2022 12:33 PM

With windows you typically set up a Universal Forwarder on monitored machine(s), define inputs for the event logs you want to pull, point your output to your cloud instance and that's pretty much it.

With the "network/firewall" whatever that means it can be more complicated. I assume that you'll be getting events from those devices by meand of syslog. So you need something to listen for syslog events and write them to splunk. Might be a simple Universal Forwarder (but using raw tcp/udp inputs on UF in production environment is not a best idea), might be SC4S instance, might be rsyslog or whatever you want. There are many different ways to handle syslog.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...