Splunk light alerts to Splunk Enterprise

knalla · ‎02-04-2020

Hello,

we have splunk light platform only for few systems, Is there a way to send alerts from splunk light and ingest to splunk enterprise?

gcusello · ‎02-04-2020

Hi @knalla,
have you Splunk Light Free or Splunk Light?
If you have Splunk Light Free, Alerting isn't an available feature.
If you have Splunk Light, you can run an alert and send an event to Splunk Enterprise in many ways: via syslog, event in in a forwarded index or running a script.

Ciao.
Giuseppe

knalla · ‎02-04-2020

Yes, alerting is available, currently email alerts are configured.

knalla · ‎02-04-2020

Thanks gcusello, how can I configure syslog output for splunk light?

gcusello · ‎02-04-2020

Hi @knalla,
to use syslogs, you can follow this documentation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Forwarddatatothird-partysystemsd#Syslo...

Otherwise, you should configure something like an alert action that sends events across via HTTP Event Collector using the TA-Send_to_HEC App ( https://splunkbase.splunk.com/app/3508/ ) and enablig HEC on Splunk Enterprise (for more infos see https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/UsetheHTTPEventCollector ).

But maybe the easyest way is to send alerts to a mailbox and monitor this mailbox using the Splunk for IMAP App ( https://splunkbase.splunk.com/app/27/ ).

Ciao.
Giuseppe

Splunk light alerts to Splunk Enterprise

Other

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout