Splunk Enterprise

Using HTTP to get data into Splunk, but no host is set? - How do i set the host

robertlynch2020
Influencer

Hi -

We are using a hec /HTTP to send data (open telemetry)  into Splunk using an exporter -( exporter below)

 https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/splunkhecexport...

There does not seem a way to set host!
We can set "source" "source type" etc....but not host.

As a result, host = unknown.

When we try to set a host we get errors. Where do i define it?

robertlynch2020_0-1623753585892.png

 

robertlynch2020_1-1623753602970.png

 

 

 

Thanks in Advance

Robert

Labels (1)
0 Karma
1 Solution

robertlynch2020
Influencer

HI 

 

This can be solved from the exporter configuration.

We can see from below that we have set host.name - this will send the data as host to Splunk

 

HI

This worded and thanks.

The file code is below.

receivers:
otlp: # pushed by clients
protocols:
grpc:
endpoint: :${OTLP_RECEIVER_PORT}

processors:
batch:
timeout: 1s
resource:
attributes:
key: host.name
value: "TEST1"
action: insert

exporters:
prometheus: # pulled by prometheus
endpoint: :${PROMETHEUS_EXPORTER_PORT}
splunk_hec: # pushed to splunk
token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"
endpoint: "https://mx33456vm:8088/services/collector"
source: "mx"
sourcetype: "otel"
index: "metrics_test"
insecure_skip_verify: true
splunk_hec/events: # pushed to splunk
token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"
endpoint: "https://mx33456vm:8088/services/collector"
source: "mx"
sourcetype: "otel"
index: "events_test"
insecure_skip_verify: true

service:
pipelines:
metrics:
receivers: [otlp]
processors: [batch,resource]
exporters: [prometheus,splunk_hec,splunk_hec/events]

View solution in original post

0 Karma

robertlynch2020
Influencer

HI 

 

This can be solved from the exporter configuration.

We can see from below that we have set host.name - this will send the data as host to Splunk

 

HI

This worded and thanks.

The file code is below.

receivers:
otlp: # pushed by clients
protocols:
grpc:
endpoint: :${OTLP_RECEIVER_PORT}

processors:
batch:
timeout: 1s
resource:
attributes:
key: host.name
value: "TEST1"
action: insert

exporters:
prometheus: # pulled by prometheus
endpoint: :${PROMETHEUS_EXPORTER_PORT}
splunk_hec: # pushed to splunk
token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"
endpoint: "https://mx33456vm:8088/services/collector"
source: "mx"
sourcetype: "otel"
index: "metrics_test"
insecure_skip_verify: true
splunk_hec/events: # pushed to splunk
token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"
endpoint: "https://mx33456vm:8088/services/collector"
source: "mx"
sourcetype: "otel"
index: "events_test"
insecure_skip_verify: true

service:
pipelines:
metrics:
receivers: [otlp]
processors: [batch,resource]
exporters: [prometheus,splunk_hec,splunk_hec/events]

0 Karma

Hemnaath
Motivator

Hi Robert,

Need some inputs from you on implementing the open telemetry data in splunk, We wanted to do POC for our client and wanted to ingest open telemetry data logs and trace into splunk and I have following questions?

  •  Is it possible to do them in Splunk Enterprise trail license? Or Do we need to buy Splunk Observability module to monitor the open telemetry data?
  • Can we use universal forwarder to collect the logs and trace or do we need to have the Splunk OpenTelemetry Connector?
  • Share the link or document to ingest the open telemetry data logs into splunk.  

Could you please guide me on this .

0 Karma

robertlynch2020
Influencer
  •  Is it possible to do them in Splunk Enterprise trail license? Or Do we need to buy Splunk Observability module to monitor the open telemetry data?
  • [RL] You can get a 10GB dev license or a 50GB  - However, some are available depending on if you are a customer or not. But this is definitely a free Splunk license to get you started
  • Can we use a universal forwarder to collect the logs and trace or do we need to have the Splunk OpenTelemetry Connector?
  • [RL] In our case we did not use the UF as we developed an exporter to send it directly to Splunk via HTTP event collector. 
  • Share the link or document to ingest the open telemetry data logs into splunk.
  • [RL]  I will have to come back to you on this, as i cant fully remember where i got this from 
0 Karma

Hemnaath
Motivator

Hi Robert, 

We are doing a POC for our client, as per the client we wanted to ingest for ForgeRock open telemetry data into Splunk.  For POC purpose we have installed the ForgeRock application and Splunk application are running in the google cloud instance machine (Trial version) but not sure how to on-board the data in to splunk.  So could please provide me some heads-up on how  to ingest the ForgeRock event data, metric and log into splunk.  Kindly share documents are steps which you had referred for ingesting the data in splunk. 

thanks 

Tags (1)
0 Karma

Hemnaath
Motivator

thanks Robert for quick response on this, I had posted many questions regarding the same in Splunk answers.com but no one had responded back. 

Please guide me on the same on getting the open telemetry data in splunk.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...