Splunk® User Behavior Analytics Kafka Ingestion App

Splunk UBA Kafka Ingestion App

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Send data from the Splunk platform directly to Kafka

In a typical Splunk UBA configuration, both search results and raw events are sent from the indexers to the search heads. The Splunk search heads are solely responsible for processing the events and keeping track of the number of events processed. This configuration is shown in the following diagram.

This diagram shows how search results are sent from the indexers on the Splunk platform back to the search head, and then to the Splunk UBA output connector. From there, they are sent to Kafka on Splunk UBA for processing, before they are passed to the Splunk UBA parsers.

When working with large data sets, you can send events from the Splunk platform directly to Kafka for ingestion. Sending data directly to Kafka offloads the processing task from the search heads to the indexers. The search heads still track the total number of events processed.

This diagram shows how data is sent directly from the Splunk indexers to Kafka in Splunk UBA. The process is described in the text preceding this image.

To push data from the indexers directly to Kafka in Splunk UBA, perform the following tasks:

  1. Begin by installing the Splunk UBA Kafka Ingestion App on the search head. When a search is issued to a search head, add-ons installed on the search heads are automatically replicated to the indexers. This means all field extractions are also pushed to indexers, and there is no need to install the add-on on the indexers. See Install the Splunk UBA Kafka Ingestion App.
  2. In Splunk UBA, configure a data source and enable Kafka ingestion. See Enable Kafka data ingestion.
  3. In Splunk UBA, start the data source.

After Kafka ingestion is enabled, events from your search results are pushed from the indexers directly to Kafka on Splunk UBA.

Last modified on 09 March, 2021
PREVIOUS
What's new in this release?
  NEXT
Requirements for Kafka data ingestion

This documentation applies to the following versions of Splunk® User Behavior Analytics Kafka Ingestion App: 1.3, 1.4, 1.4.1, 1.4.2, 1.4.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters