Send Data from Edge Delta to Splunk

Prepare to send data to a Splunk destination.

  3 minute read  

Overview

The Splunk destination node sends items to a Splunk destination.

Configure Splunk

To set up a Splunk destination, you must:

  • Configure a HEC token in Splunk
  • Determine the correct HEC endpoint in Splunk, and
  • Import the Edge Delta dashboard into Splunk.

The process to set up a Splunk destination varies for Splunk Cloud and Splunk Enterprise users.

Step 1: Configure a HEC Token in Splunk

Option 1: Splunk Cloud To create a Splunk HTTP Event Collector (HEC) and token:

  1. In the Splunk Web UI, navigate to Settings, then click Add Data.
  2. Click Monitor, and then click HTTP Event Listener.
  3. In the field, enter a name for the HEC, and then click Next.
  4. Confirm the index information or use the default index, and then click Review.
  5. Click Submit.
  6. Copy the displayed token value. You can enter this information in the Token field in the Edge Delta App.

Option 2: Splunk Enterprise To ensure HTTP Event Collector (HEC) is enabled:

  1. In the Splunk Enterprise Web UI, navigate to Settings, then click Data Inputs.
  2. Click HTTP Event Collector.
  3. Click Global Settings.
  4. Enable the All Tokens toggle option.

To create a Splunk HTTP Event Collector (HEC) and token:

  1. In the Splunk Web UI, navigate to Settings, then click Add Data.
  2. Click Monitor, and then click HTTP Event Listener.
  3. In the field, enter a name for the HEC, and then click Next.
  4. Confirm the index information or use the default index, and then click Review.
  5. Click Submit.
  6. Copy the displayed token value. You use the token in the Edge Delta Pipeline configuration.

Step 2: Determine your HEC Endpoint

Before you continue, verify that you have the following information:

  • Splunk deployment type (Enterprise, Cloud, Free Trial, etc.)
  • Splunk hostname (from Splunk Browser URI)
  • Input Protocol (HTTPS is default)

Each endpoint can support either /raw or /event data. With /raw, the raw logs are sent in Edge Delta’s JSON format and Splunk parses the timestamp from the log. The sourcetype for the http endpoint should be set to Structures-> _json. With /event, Splunk’s JSON format is used with the timestamp in the JSON.

Option 1: Splunk Cloud Format (Cloud, Free Trial, Cloud on GCP)

Replace <splunk_hostname> with your organization’s hostname and choose the endpoint type: raw or event.

Splunk Cloud

URI Format: https://http-inputs-<splunk_hostname>:443/services/collector/event

Splunk Free Trial

URI Format: https://inputs.<splunk_hostname>:8088/services/collector/event

Splunk Cloud on GCP

URI Format: https://http-inputs.<splunk_hostname>:443/services/collector/event

Option 2: Splunk Enterprise

Replace <splunk_hostname> with your organization’s hostname and choose the endpoint type: raw or event.

URI Format: https://<splunk_hostname>:8088/services/collector/event

Step 3: Import the Edge Delta Dashboard to Splunk

Contact your Edge Delta Sales Engineer so that you can obtain the dashboard XML.

  1. In Splunk, navigate to Search interface.
  2. Click Dashboards.
  3. Click Create New Dashboard.
  4. Enter and configure a dashboard name, description, and permissions.
  5. Click Classic Dashboards, and then click Create.
  6. In the Edit Dashboard page, switch from UI to Source.
  7. Replace the existing XML with the XML from Edge Delta.
  8. Switch back to UI.
  9. Click Save.

Configure Edge Delta

Next, you configure the Splunk destination node to forward data to the Splunk endpoint.