Splunk Cloud Platform

Splunk cloud and Cisco Secure eStreamer Client Add-On

hendriks
Path Finder

Is the app (Cisco Secure eStreamer Client Add-On[https://splunkbase.splunk.com/app/3662]) even usable on splunkcloud? I can install it from the "browse more apps" page in the cloud app management area, but it seems i will not be able to set it up or use it, as

1) it requires you to edit a config file on disk;
2) it writes the data it retreives from Cisco to a local disk;
3) it is not possible to create a disk monitor in splunkcloud. 

Only real option seems to be to use a heavy forwarder.

Any suggestions?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Firstly, it's a Cisco-provided app. Vendor-created app are, unfortunately, often sub-par written. They do understand their own products but they often do not understand Splunk well enough.

Secondly, while you probably could edit app's files, pack it and try to deploy in Cloud, the app would probably not pass appinspect.

Thirdly, the description in splunkbase says clearly that it's meant to be installed on a forwarder.

hendriks
Path Finder

Thank you for the reply, I missed the "to be installed on a forwarder line" , as it is only 1line in details and not mentioned in installed or anything.  

It actually still is strange that it can be installed on Splunkcloud, as you can't use it there. Even when you can configure it, it wants to right the logs it retreives localy, before ingesting. 

So a HF it is. 

 

Kind regards,

 

Richard

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I suppose (I haven't seen this particular Add-On) it might contain search-time settings as well. Often add-ons should be installed on several tiers at the same time since they might contain search-time extractions which are effective at SH tier as well as index-time settings (like sourcetype definitions for timestamp extractions and event breaking) which are efective on indexer tier or HF.

tscroggins
Motivator

If you have a private link, your Splunk account management team and Splunk support may assist with sizing and configuration; however, I would recommend a heavy forwarder to 1) manage infrastructure and transit costs and 2) limit network access to your FMC to devices under your control. The eStreamer client can also be unstable, and having direct access to the heavy forwarder will reduce your MTTR.

0 Karma

hendriks
Path Finder

Thanks, yes that was what I actually already figured out. 

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...