Skip to main content

Splunk

Outputs data to Splunk Cloud / Splunk Enterprise. Compatible with Splunk's data Input and querying capabilities.

Requirements

To use the Splunk output connector, ensure the following prerequisites are met:

Splunk Cloud or Splunk Enterprise

You must have access to a Splunk Cloud / Enterprise environment to be able to run this output connector. To setup your Cloud / Enterprise environment, refer: Splunk Cloud Setup or Splunk Enterprise Setup

Setting up a cloud / enterprise environment gives you access to an Endpoint URL which will be required for this connector. Next, you will require an Event Collector Token.

Create an Event Collector Token on Splunk Cloud Platform

  1. Click Settings > Add Data
  2. Click Monitor
  3. Click HTTP Event Collector
  4. In the Name field, enter a name for the token.
  5. (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
  6. (Optional) In the Description field, enter a description for the input.
  7. (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
  8. Click Next.
  9. (Optional) Make edits to source type and confirm the index where you want HEC events to be stored. See Modify input settings.
  10. Click Review.
  11. Confirm that all settings for the endpoint are what you want.
    • If all settings are correct, click Submit.
    • Otherwise, click < to make changes.
  12. (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.
  13. (Optional) Click Track deployment progress to see progress on how the token has been deployed to the rest of the Splunk Cloud Platform deployment. When you see a status of "Done", you can then use the token to send data to HEC.

Enable HTTP Event Collector (HEC) on Splunk Enterprise

Before you can use Event Collector to receive events through HTTP, you must enable it. For Splunk Enterprise, enable HEC through the Global Settings dialog box as detailed below:

  1. Click Settings > Data Inputs.
  2. Click HTTP Event Collector.
  3. Click Global Settings.
  4. In the All Tokens toggle button, select Enabled.
  5. (Optional) Choose a Default Source Type for all HEC tokens. You can also type in the name of the source type in the text field above the drop-down list box before choosing the source type.
  6. (Optional) Choose a Default Index for all HEC tokens.
  7. (Optional) Choose a Default Output Group for all HEC tokens.
  8. (Optional) To use a deployment server to handle configurations for HEC tokens, click the Use Deployment Server checkbox.
  9. (Optional) To have HEC listen and communicate over HTTPS rather than HTTP, click the Enable SSL checkbox.
  10. (Optional) Enter a number in the HTTP Port Number field for HEC to listen on. Confirm that no firewall blocks the port number that you specified in the HTTP Port Number field, either on the clients or the Splunk instance that hosts HEC.
  11. Click Save.

Create an Event Collector token on Splunk Enterprise

To use HEC, you must configure at least one token.

  1. Click Settings > Add Data.
  2. Click Monitor.
  3. Click HTTP Event Collector.
  4. In the Name field, enter a name for the token.
  5. (Optional) In the Source name override field, enter a source name for events that this input generates.
  6. (Optional) In the Description field, enter a description for the input.
  7. (Optional) In the Output Group field, select an existing forwarder output group.
  8. (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
  9. Click Next.
  10. (Optional) Confirm the source type and the index for HEC events.
  11. Click Review.
  12. Confirm that all settings for the endpoint are what you want. If all settings are correct, click Submit. Otherwise, click the back arrow (<) to make changes.
  13. (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.

Details

The Splunk output connector continuously sends processed data to perform Searching, Reporting, etc to Splunk. The functionality includes the following key features:

  1. Batch Processing: Data is processed and sent to Splunk in batches to ensure efficient handling of large volumes of data.

  2. Error Handling: The connector includes mechanisms to handle errors gracefully, such as logging issues and retrying failed operations. This helps maintain data integrity and reliability.

  3. HTTP Event Collector Tokens: The Splunk Cloud Platform indexes the data ingested based on the configuration of the token defined by you, used by this Splunk connector. HEC uses the source, source type, and index that was specified in the token. If a forwarding output group configuration exists on a Splunk Enterprise instance, HEC forwards the data to indexers in that output group.

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

SettingTypeRequiredDescription
URLstringYesYour Splunk Cloud Platform URL.
Allow InsecurebooleanNoEnsures secure communication by verifying Splunk's TLS certificates.
PortstringYesThe Splunk HTTP Event Collector (HEC) port.
IndexstringYesThe index of you want to send data to. If left empty, data is sent to the default index.
UsernamestringYesAdministrative username for Splunk index management operations.

Secrets

SecretTypeRequiredDescription
TokenstringYesA 128 Bit number that helps specify the source, source type, and index for Splunk for data ingestion.
PasswordstringYesAuthentication credential that verifies the account's identity.

Understanding Index and Tokens scoping in Splunk

  • Each token you create, by default, is scoped to send data to any index that exists within your Splunk instance.

    • With this, within Monad, if you specified a token but not an index, you would by default see data on the default index in splunk for that token.
    • If you specified a token AND an index, you would see data on that index since the token as mentioned earlier by default is scoped to send data to any index that exists within your Splunk instance.
    • In case you would like Monad to create your index, you can also choose to specify a username and password to do so. Since Splunk does not support programmatic scoping of token to indices, you would need to ensure that the token is not scoped to specific indices from the UI, else the input connector would error.

  • If you set the allowed indices from the Splunk UI, the token is then scoped to only send data to those specific indices.

    • If you then specify an index with a token within Monad, you would need to ensure that that index is within the scoped list of indices for that token, else the input connector would error.