Install and configure the Splunk Add-on for Amazon Kinesis Firehose on a paid Splunk Cloud Platform deployment
Follow these steps to install and configure the Splunk Add-on for Amazon Kinesis Firehose in your paid Splunk Cloud Platform deployment.
Version 6.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Kinesis Firehose. Configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into Splunk.
If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose after upgrading the Splunk Add-on for AWS to version 6.0.0 or later in order to avoid any data duplication and discrepancy issues.
Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 of the Splunk Add-on for AWS.
If you are not currently using the Splunk Add-on for Amazon Kinesis Firehose, but plan to use it in the future, then the best practice is to download and configure version 6.0.0 or later of the Splunk Add-on for AWS, instead of the Splunk Add-on for Amazon Kinesis Firehose.
If your paid Splunk Cloud Platform deployment has a search head cluster, you will need additional assistance from Splunk Support to perform this configuration. See Paid Splunk Cloud Platform with a search head cluster.
If your paid Splunk Cloud Platform instance does not have a search head cluster, follow this procedure.
- Decide what index you want to use to collect your Amazon Kinesis Firehose data. Ensure that this index is enabled and active. Sending data to a disabled or deleted index results in dropped events. If you need to create a new index, see Manage Splunk Cloud Platform indexes.
- Install the add-on to your Splunk Cloud Platform deployment. Submit a case on the Splunk Support Portal. In the case, ask Splunk Support to enable HTTP event collector and create or modify an elastic load balancer to use with this add-on. For Splunk Cloud Platform Victoria stacks, a Firehose HEC elastic load balancer is automatically provisioned. For more information on step-by-step instructions, see Install apps in your Splunk Cloud Platform deployment.
- Wait for Splunk Support to perform the necessary setup and confirm with you once the HTTP event collector is enabled and your elastic load balancer is ready for use. Splunk Support will confirm the URL that you should use for your HTTP event collector endpoint. It should match this format:
https://http-inputs-firehose-<your unique cloud hostname here>.splunkcloud.com:443
. - Create an HTTP event collector token with indexer acknowledgments enabled. For step-by-step instructions, see Configure HTTP Event Collector on Splunk Cloud. During the configuration:
- Specify a Source type for your incoming data. See Source types for the Splunk Add-on for Amazon Kinesis Firehose for the source types supported by this add-on.
- Select the Index to which Amazon Kinesis Firehose will send data.
- Check the box next to Enable indexer acknowledgement.
- Save the token that Splunk Web provides. You need this token when you configure Amazon Kinesis Firehose.
- Repeat steps 4, 5, and 6 for each source type from which you want to collect data. Each source type requires a unique HTTP event collector token.
Next step
Configure Amazon Kinesis Firehose to send data to the Splunk platform
Paid Splunk Cloud Platform with a search head cluster
If your paid Splunk Cloud Platform deployment has a search head cluster, follow this procedure.
- Decide what index you want to use to collect your Amazon Kinesis Firehose data. Ensure that this index is enabled and active. Sending data to a disabled or deleted index results in dropped events. If you need to create a new index, see Manage Splunk Cloud Platform indexes.
- Submit a case on the Splunk Support Portal. In the case, ask Splunk Support to :
- Install the Splunk Add-on for Amazon Kinesis Firehose to your Splunk Cloud Platform deployment
- Enable HTTP event collector and create or modify an elastic load balancer for use with this add-on.
- Create an HTTP event collector token for each source type from which you plan to collect data from Amazon Kinesis Firehose. For each of the tokens you request, ask Splunk Support to specify the following parameters:
- The Source type for your incoming data. See Source types for the Splunk Add-on for Amazon Kinesis Firehose for the source types supported by this add-on.
- The Index to which Amazon Kinesis Firehose will send data.
- Wait for Splunk Support to perform the necessary setup and provide the following information:
- The full URL that you should use for your HTTP event collector endpoint. It should match this format:
https://http-inputs-firehose-<your unique cloud hostname here>.splunkcloud.com:443
. - Create a token for each source type that you want.
- The full URL that you should use for your HTTP event collector endpoint. It should match this format:
- Save the tokens and the full URL that Splunk Support provides. You need this information when you configure Amazon Kinesis Firehose.
Next step
Configure Amazon Kinesis Firehose to send data to the Splunk platform
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Feedback submitted, thanks!