Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Send event/log data to muptiple splunk customers

saiteja1111n
Engager
‎04-14-2021 10:19 PM

Hi,

We have a requirement to push events/logs from our applications to different customers using splunk enterprise/cloud(events only specific to customer). Our application is a cloud solution and runs on Kubernetes cluster.

I am looking for a solution in which, one application can be used to filter and push to different customers splunk instance. Can you suggest which splunk application can be used to solve this.

I researched 'Splunk Universal Forwarder' can be installed and can be used to push data, but can the same universal forwarder instance be used to push to multiple customer's splunk instance?

I also saw the 'splunk connect for syslog' can be installed and can be used to push data to splunk instance. Can we apply that for this usecase.

In case we have a better solution, please do let me know.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-15-2021 11:19 PM

Hi @saiteja1111n,

Ok, you don't want to index logs and you want to use Universal Forwarders.

In this case you have to put in acustom App at least two conf files:

  • inputs.conf,
  • outputs.conf;

the second containing the destination for each input to use then in the inputs.conf;

the first containing the list of the inputs to take with options for:

  • index,
  • sourcetype,
  • destination (_TCP_ROUTING = systemGroup).

then, if you're using a Deployment Server, also a third  conf file: deploymentclient.conf.

Then, as every configuration on UFs, you have to restart Splunk on UF so the changes will be applied, there isn't any other way to do this.

About REST API, for my knowledge, you can use them also on on-premise installations.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-14-2021 11:42 PM

Hi @saiteja1111n,

you could take all the logs in a Splunk installation (on-premise or Cloud) and create an alert for each destination that sends data in a csv file as attachment.

Another solution could be create one syslog or a SNMP output for each destination.

In every cases you have to index data.

If you don't want to index data and you tale logs with Universal Forwarders, you could configure them (using outputs.conf) to send data to different Splunk installations as described at https://docs.splunk.com/Documentation/Splunk/8.1.3/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... 

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

saiteja1111n
Engager
‎04-15-2021 10:27 PM

@gcusello If I don't want to do indexing and use Universal Forwarders, I see that the config changes are required in input and output conf files. To apply this, I see that it needs restart. Does the forwarder picks up where it left after restart on pushing the logs? Or we have any way to dynamically inject config.

Also I see that we can configure splunk to get data from REST API endpoints, or S3 bucket or azure blob storage. Are these supported only by splunk cloud or does enterprise also support them.

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-15-2021 11:19 PM

Hi @saiteja1111n,

Ok, you don't want to index logs and you want to use Universal Forwarders.

In this case you have to put in acustom App at least two conf files:

  • inputs.conf,
  • outputs.conf;

the second containing the destination for each input to use then in the inputs.conf;

the first containing the list of the inputs to take with options for:

  • index,
  • sourcetype,
  • destination (_TCP_ROUTING = systemGroup).

then, if you're using a Deployment Server, also a third  conf file: deploymentclient.conf.

Then, as every configuration on UFs, you have to restart Splunk on UF so the changes will be applied, there isn't any other way to do this.

About REST API, for my knowledge, you can use them also on on-premise installations.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...