Splunk Enterprise

Using HTTP to get data into Splunk, but no host is set? - How do i set the host

robertlynch2020
Motivator

Hi -

We are using a hec /HTTP to send data (open telemetry)  into Splunk using an exporter -( exporter below)

 https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/splunkhecexport...

There does not seem a way to set host!
We can set "source" "source type" etc....but not host.

As a result, host = unknown.

When we try to set a host we get errors. Where do i define it?

robertlynch2020_0-1623753585892.png

 

robertlynch2020_1-1623753602970.png

 

 

 

Thanks in Advance

Robert

Labels (1)
0 Karma
1 Solution

robertlynch2020
Motivator

HI 

 

This can be solved from the exporter configuration.

We can see from below that we have set host.name - this will send the data as host to Splunk

 

HI

This worded and thanks.

The file code is below.

receivers:
otlp: # pushed by clients
protocols:
grpc:
endpoint: :${OTLP_RECEIVER_PORT}

processors:
batch:
timeout: 1s
resource:
attributes:
key: host.name
value: "TEST1"
action: insert

exporters:
prometheus: # pulled by prometheus
endpoint: :${PROMETHEUS_EXPORTER_PORT}
splunk_hec: # pushed to splunk
token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"
endpoint: "https://mx33456vm:8088/services/collector"
source: "mx"
sourcetype: "otel"
index: "metrics_test"
insecure_skip_verify: true
splunk_hec/events: # pushed to splunk
token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"
endpoint: "https://mx33456vm:8088/services/collector"
source: "mx"
sourcetype: "otel"
index: "events_test"
insecure_skip_verify: true

service:
pipelines:
metrics:
receivers: [otlp]
processors: [batch,resource]
exporters: [prometheus,splunk_hec,splunk_hec/events]

View solution in original post

0 Karma

robertlynch2020
Motivator

HI 

 

This can be solved from the exporter configuration.

We can see from below that we have set host.name - this will send the data as host to Splunk

 

HI

This worded and thanks.

The file code is below.

receivers:
otlp: # pushed by clients
protocols:
grpc:
endpoint: :${OTLP_RECEIVER_PORT}

processors:
batch:
timeout: 1s
resource:
attributes:
key: host.name
value: "TEST1"
action: insert

exporters:
prometheus: # pulled by prometheus
endpoint: :${PROMETHEUS_EXPORTER_PORT}
splunk_hec: # pushed to splunk
token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"
endpoint: "https://mx33456vm:8088/services/collector"
source: "mx"
sourcetype: "otel"
index: "metrics_test"
insecure_skip_verify: true
splunk_hec/events: # pushed to splunk
token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"
endpoint: "https://mx33456vm:8088/services/collector"
source: "mx"
sourcetype: "otel"
index: "events_test"
insecure_skip_verify: true

service:
pipelines:
metrics:
receivers: [otlp]
processors: [batch,resource]
exporters: [prometheus,splunk_hec,splunk_hec/events]

0 Karma

Hemnaath
Motivator

Hi Robert,

Need some inputs from you on implementing the open telemetry data in splunk, We wanted to do POC for our client and wanted to ingest open telemetry data logs and trace into splunk and I have following questions?

  •  Is it possible to do them in Splunk Enterprise trail license? Or Do we need to buy Splunk Observability module to monitor the open telemetry data?
  • Can we use universal forwarder to collect the logs and trace or do we need to have the Splunk OpenTelemetry Connector?
  • Share the link or document to ingest the open telemetry data logs into splunk.  

Could you please guide me on this .

0 Karma

robertlynch2020
Motivator
  •  Is it possible to do them in Splunk Enterprise trail license? Or Do we need to buy Splunk Observability module to monitor the open telemetry data?
  • [RL] You can get a 10GB dev license or a 50GB  - However, some are available depending on if you are a customer or not. But this is definitely a free Splunk license to get you started
  • Can we use a universal forwarder to collect the logs and trace or do we need to have the Splunk OpenTelemetry Connector?
  • [RL] In our case we did not use the UF as we developed an exporter to send it directly to Splunk via HTTP event collector. 
  • Share the link or document to ingest the open telemetry data logs into splunk.
  • [RL]  I will have to come back to you on this, as i cant fully remember where i got this from 
0 Karma

Hemnaath
Motivator

Hi Robert, 

We are doing a POC for our client, as per the client we wanted to ingest for ForgeRock open telemetry data into Splunk.  For POC purpose we have installed the ForgeRock application and Splunk application are running in the google cloud instance machine (Trial version) but not sure how to on-board the data in to splunk.  So could please provide me some heads-up on how  to ingest the ForgeRock event data, metric and log into splunk.  Kindly share documents are steps which you had referred for ingesting the data in splunk. 

thanks 

Tags (1)
0 Karma

Hemnaath
Motivator

thanks Robert for quick response on this, I had posted many questions regarding the same in Splunk answers.com but no one had responded back. 

Please guide me on the same on getting the open telemetry data in splunk.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...