Splunk Cloud Platform

Use Ingest Processors

Ingest Processor is currently released as a preview only and is not officially supported. See Splunk General Terms for more information. For any questions on this preview, please reach out to ingestprocessor@splunk.com.

Send data from Ingest Processor to non-connected Splunk platform deployments using HEC

When sending data from the Ingest Processor service to a Splunk Enterprise deployment or a Splunk Cloud Platform deployment that is not connected to your tenant, you can choose to send that data using the HTTP Event Collector (HEC). HEC is a mechanism that allows HTTP clients and logging agents to send data to the Splunk platform over HTTP or HTTPS.

Start by adding a Splunk platform HEC destination in the Ingest Processor service. You can configure the destination to send data to a specific indexer, or to a load balancer or DNS that passes data to multiple indexers. Splunk platform HEC destinations cannot send data to multiple indexers directly.

Then, create a pipeline that uses that destination. When you apply that pipeline, the Ingest Processor service starts sending the data that it receives to your Splunk platform deployment.

The specific index that the data from the Ingest Processor service gets routed to is determined by a precedence order of configurations. For more information, see Index precedence order when using HEC.

You can also send data using the Splunk-to-Splunk (S2S) protocol instead of HEC, or send data to the Splunk Cloud Platform deployment that is connected to your tenant without needing to add any destinations. For more information, see Sending data from Ingest Processor to Splunk Cloud Platform or Splunk Enterprise.

Precedence order of HEC tokens and metadata field values

When configuring a Splunk platform HEC destination, you must specify a default HEC token. This default token is used only if the data is not already associated with a HEC token. For example, if the Ingest Processor service received an event through HEC, and the Authorization header in the HTTP request that transmitted that event includes a HEC token, then the token in the header is used when you send this event to your Splunk Cloud Platform deployment.

Additionally, you can specify default values for some of the metadata fields in the events.

Source field

When you send data out from the Ingest Processor service using a Splunk platform HEC destination, the value of the source field is determined based on the following precedence order:

  1. The source value that is already specified in the event before the Ingest Processor service receives it.
  2. The Default source setting specified in the Splunk platform HEC destination.
  3. The Source name override setting specified in the HEC token being used.

Sourcetype field

Ingest Processor pipelines only accept events that have a value in the sourcetype field. These sourcetype values remain unchanged when you send processed data from a pipeline to a Splunk platform HEC destination.

However, if you select a Splunk platform HEC destination as the default destination for the Ingest Processor service, then unprocessed events without sourcetype values might be sent through that destination. In this case, the value of the sourcetype field is determined based on the following precedence order:

  1. The Default source type setting specified in the Splunk platform HEC destination.
  2. The Source type setting specified in the HEC token being used.
  3. The Default Source Type setting specified in the HEC global settings of a Splunk Enterprise deployment. This setting is applicable only when you are sending data to Splunk Enterprise.

Index field

The index value is determined based on an extensive precedence order of configurations. See Index precedence order when using HEC for more information.

Prerequisites

Before you can add a destination that sends data to the Splunk platform using HEC, you must do the following:

  • In the Splunk platform deployment, turn on the HTTP Event Collector.
  • Turn on the HEC token that you want to use, and make sure that the token configuration meets these requirements:
    • The Enable indexer acknowledgement setting is turned off.
    • The token allows data to be sent to all indexes. In the token configuration settings in Splunk Web, make sure that the Selected Indexes pane of the Select Allowed Indexes control is empty.

    If you try to send data from your Ingest Processor service using a HEC token that doesn't meet these requirements, data loss can occur.

  • If you're planning to send data to multiple indexers, then you must configure a load balancer or DNS to pass the data from the Ingest Processor service to those indexers.
  • Make note of the following information for a specific indexer, or for a load balancer or DNS that is configured to pass data to multiple indexers:
    • The IP address or host name
    • The number of the port used to receive data
  • If you're sending data to an indexer that requires TLS, then obtain the necessary certificates for establishing a TLS connection with the indexer. See the Obtaining TLS certificates in this topic for more information.

    Splunk Cloud Platform indexers always require TLS.

Obtaining TLS certificates

If you're sending data to an indexer that requires TLS encryption, then you need to have the necessary certificates for establishing a TLS connection between the Ingest Processor service and the indexer. In most cases, you must upload these certificates when adding the destination in the Ingest Processor service.

When sending data using HEC, you can choose to use the default certificates provided by the operating system of the Ingest Processor host machine. If you decide to use these default certificates, then you don't need to obtain or upload any certificates to the destination.

TLS requirements for Splunk Cloud Platform

TLS connections with Splunk Cloud Platform indexers require the universal forwarder credentials package. You can download this package from your Splunk Cloud Platform deployment by doing the following:

  1. In the Splunk Web interface for your Splunk Cloud Platform deployment, select Apps, then Universal Forwarder.
  2. Select Download Universal Forwarder Credentials.

Note the location of the credentials file. The credentials file is named splunkclouduf.spl.

TLS requirements for Splunk Enterprise

TLS connections with Splunk Enterprise indexers require the following certificates contained in separate Privacy Enhanced Mail (PEM) files:

  • A client certificate.
  • The private key associated with that client certificate. This private key must be decrypted.
  • The CA certificates used to verify the indexer.

If you don't have these PEM files, ask your Splunk Enterprise administrator for assistance. See the Secure Splunk platform communications with Transport Layer Security certificates chapter of the Securing Splunk Enterprise manual for more information.

Add a Splunk platform HEC destination

  1. In the Ingest Processor service, select Destinations.
  2. On the Destinations page, select New destination, then Splunk platform using HEC.
  3. Provide a name and description for your destination.
    Field Description
    Name A unique name for your destination
    Description (Optional) A description of your destination
  4. In the Indexer or load balancer field, enter the URL of either an indexer or a load balancer or DNS that is associated with multiple indexers. Use the format <protocol>://<host>:<port>, where <protocol> is either http or https, and <host> is either an IP address or a hostname. If you're using TLS or sending data to Splunk Cloud Platform, then <protocol> must be https.
  5. In the Default HEC token field, enter the value of a HEC token from your Splunk platform deployment. This HEC token is used only when the Ingest Processor service is sending out data that is not already associated with a HEC token.
  6. (Optional) Provide default values for the metadata fields in the events that are sent through this destination. These values are used only if the events do not already contain source, sourcetype, or index values.
    Field Description
    Default source The name of the source from which the event originates.
    Default source type A value that identifies the data structure of the event.

    Ingest Processor pipelines only accept events that are already associated with a source type, so the Default source type value does not affect events in pipelines. This value is used only when you select a Splunk platform HEC destination as the default destination for the Ingest Processor service, and events without source types are routed through the destination.

    Default index The name of the Splunk index that the Ingest Processor service sends the event to.
  7. If your indexer requires TLS and you plan to establish the TLS connection using the default certificates provided by the operating system of the Ingest Processor host machine, then skip this step. If your indexer requires TLS and you're using other certificates that you obtained, then do the following:
    1. Select Turn on TLS.
    2. Set Platform to the type of Splunk platform deployment you want to send data to.
    3. Upload your TLS certificates. If you set Platform to Splunk Cloud Platform, then in the Universal forwarder credentials field, upload the splunkclouduf.spl file that you downloaded from your Splunk Cloud Platform deployment. Otherwise, if you set Platform to Splunk Enterprise, then upload the appropriate private key and certificates in these fields:
      Field Description
      Client private key A PEM file containing the decrypted private key associated with your client certificate
      Client certificate A PEM file containing a client certificate
      CA certificates The CA certificates used to verify the indexer
  8. To finish adding the destination, select Add.

You now have a destination that you can use to send data from the Ingest Processor service to one or more Splunk indexers using HEC.

To start sending data from the Ingest Processor service to the indexers specified in the destination, create a pipeline that uses the destination you just added and then apply that pipeline. For more information, see Create pipelines for Ingest Processor.

See also

For information about configuring HEC in the Splunk platform, see Set up and use HTTP Event Collector in Splunk Web in the Splunk Cloud Platform Getting Data In manual.

Last modified on 14 March, 2024
 

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters