Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Export logs from Splunk Cloud to GCP Pub/Sub

bhagyashriyan
Explorer
‎01-12-2024 08:16 AM

Hi Splunkers,

I would like to export logs (raw/csv) out of Splunk cloud periodically to send it to gcp pub/sub. How can I achieve this. Appreciate ideas here.

Labels (1)
Labels
0 Karma
Reply

tscroggins
Influencer
‎01-14-2024 08:34 AM

Hi @bhagyashriyan,

This is a challenge in Splunk Cloud at scale. If you manage data flow at the source or integration layers, you may prefer to tee your data to both Splunk Cloud and Google Cloud Pub/Sub at one of those layers.

Otherwise, you can execute relatively simple saved searches in Splunk Cloud using an external client and stream the output to Google Cloud Pub/Sub.

For example:

index=foo | fields - _raw | table *

will return _time and all fields available at search time from the search's execution context (user and app). Note that results are returned in _time reversed order, newest to oldest.

In Google Cloud, you can use a combination of low cost services to periodically execute the search via the Splunk Cloud REST API in batches over fixed _time intervals and stream the results to Google Cloud Pub/Sub.

0 Karma
Reply

bhagyashriyan
Explorer
‎01-16-2024 08:30 AM

Hi @tscroggins ,

Could you please elaborate on running searches in GCP using rest api?

Thanks

0 Karma
Reply

tscroggins
Influencer
‎01-20-2024 08:21 AM

Hi @bhagyashriyan,

Any Google Cloud solution that allows you to submit HTTP requests, parse HTTP responses, and publish messages to a Google Cloud Pub/Sub topic can use the Splunk Cloud REST API, assuming REST API access is enabled and granted to the source Google Cloud egress address(es).

You can execute Splunk searches using the Splunk Cloud REST API search/jobs endpoint. Here's a simple Bash command-line example using curl, jq, and gcloud:

curl -s -u username:password https://<deployment-name>.splunkcloud.com:8089/services/search/jobs -d search="| makeresults count=10" -d exec_mode=oneshot -d output_mode=json | jq -r '.results[] | tojson | @sh' | while IFS= read message; do gcloud pubsub topics publish mytopic --message=${message}; done

Replace <deployment-name> with your Splunk Cloud stack name and mytopic with your Google Cloud Pub/Sub topic name. This example assumes gcloud is already correctly configured. You can also use Splunk Cloud access tokens instead of username/password authentication.

See https://docs.splunk.com/Documentation/SplunkCloud/latest/RESTTUT/RESTandCloud  and https://docs.splunk.com/Documentation/SplunkCloud/latest/RESTREF/RESTsearch#search.2Fjobs for more information.

I don't work in Google Cloud day to day, so I recommend browsing the Google Cloud documentation for inspiration.

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...