Knowledge Management

Is there any way to forward kv store data on HWF to splunk cloud?

syokota_splunk
Splunk Employee
Splunk Employee

I consider the way to forward kv store data on HWF to splunk cloud .
My understanding is if I want to forward indexed data then define with inputs.conf on HWF.

Can we monitor KV sotre data and forward to splunk cloud?

The reason why I confirm this topic is I'd like to collect threat intelligence via minemeld, then I choose "Palo Alto Add-On" to collect minemeld data, but threat intelligence data will be gather into kvstore basically.
https://splunk.paloaltonetworks.com/autofocus-and-minemeld.html

If the "Palo Alto Add-On" can not forward kv store data into splunk cloud, I'd chose the other Splunk App such as "REST API Modular Input".

Thanks,
Satoshi

Tags (1)
0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Short answer, No.

Long answer, you could write that KVStore to a summary index using a combination of lookup and collect, and that will get forwarded to Cloud.. Or export KV store to a csv file with a saved search and ingest that file...

A few options..

View solution in original post

0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

It's clear issue finally,
We install Palo Alto Add-On in Splunk cloud instance.
And also we set FQDN of minemeld server and import SSL certification the reason why is reffer from here.
https://answers.splunk.com/answers/582779/sslerror-ssl-certificate-verify-failed-certificate.html

Then configure input setting in Splunk cloud, pull from minemeld server.
Thank you guys.

0 Karma

HiroshiSatoh
Champion

If you use the API there is APP.

TA-SyncKVStore
https://splunkbase.splunk.com/app/3519/

0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

Thanks Hiroshi-san, it seems if I'd like to pull KVStore data on HWF, then I need to install this app in splunk cloud and pull data from HWF via API.
I'll check it more.

0 Karma

starcher
SplunkTrust
SplunkTrust

My app is not Splunk cloud certified. So you’ll likely not get support to install it. You could run it from the HF if you can hit your Splunk cloud api from it.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Short answer, No.

Long answer, you could write that KVStore to a summary index using a combination of lookup and collect, and that will get forwarded to Cloud.. Or export KV store to a csv file with a saved search and ingest that file...

A few options..

0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

Thanks, esix.
I understood, basically kvstore data can not forward, so I have two options now.
1. Try to make summary index of kvstore data
2. Don't use Palo Alto Add-on and alternate to use "REST API modular Input" and collect into index

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...