Splunk® Supported Add-ons

Splunk Add-on for Amazon Kinesis Firehose

Configure Amazon Kinesis Firehose to send data to the Splunk platform

Prerequisite
Before you configure Amazon Kinesis Firehose to send data to the Splunk platform, you need to prepare the Splunk platform to receive the data. If you have not already done so, see Installation and configuration overview for the Splunk Add-on for Amazon Kinesis Firehose and follow the directions for your Splunk platform deployment type.

Go to the AWS Management Console to configure Amazon Kinesis Firehose to send data to the Splunk platform. See Choose Splunk for Your Destination in the AWS documentation for step-by-step instructions. Repeat this process for each token that you configured in the HTTP event collector, or that Splunk Support configured for you.

When prompted during the configuration, enter the following information:

Field in Amazon Kinesis Firehose configuration page Value
Destination Select Splunk.
Splunk cluster endpoint If you are using managed Splunk Cloud, enter your ELB URL in this format: https://http-inputs-firehose-<your unique cloud hostname here>.splunkcloud.com:443.
For example, if your Splunk Cloud URL is https://mydeployment.splunkcloud.com, enter https://http-inputs-firehose-mydeployment.splunkcloud.com:443.
If you are on a distributed Splunk Enterprise deployment, enter the URL and port of your data receiver node.
For example, if you have an ELB that proxies traffic to your indexers with DNS name example-test-123456789.us-east-1.elb.amazonaws.com and port 443, enter https://example-test-123456789.us-east-1.elb.amazonaws.com:443.
If you want to send data directly to multiple Splunk indexers acting as your data collection nodes, you need a URL that resolves to multiple IP addresses (one for each node) with the port enabled for HTTP event collector on those nodes.
For example, if the hostname that resolves to your indexers is inputs.example-deployment.com, enter https://inputs.example-deployment.com:8088.
If you are on a single-instance Splunk Enterprise deployment, enter the HEC endpoint URL and port.
For example, if your HEC endpoint is https://10.130.33.112:8088, enter https://10.130.33.112:8088.
Splunk endpoint type Select raw for most events using Kinesis Data Firehose. If your AWS Lambda function specifically makes your events into JSON format, then select event. For more information about preprocessing events, see Event formatting requirements.
Authentication token Enter your HTTP event collector token that you configured or received from Splunk Support.
S3 backup mode Best practice: Backup all events to S3 until you have validated that events are fully processed by the Splunk platform and available in Splunk searches. You can adjust this setting after you have verified data is searchable in the Splunk platform.

After you configure Amazon Kinesis Firehose to send data to the Splunk platform, go to the Splunk search page and search for the source types of the data you are collecting. See Source types for the Splunk Add-on for Amazon Kinesis Firehose for a list of source types that this add-on applies to your Firehose data. Validate that the data is searchable in the Splunk platform before you adjust the S3 backup mode setting in the AWS Management Console.

If you are unable to see your data in the Splunk platform, see troubleshoot the Splunk Add-on for Amazon Kinesis Firehose.

Last modified on 28 February, 2022
Configure HTTP event collector for the Splunk Add-on for Amazon Kinesis Firehose on a single-instance Splunk Enterprise deployment   Troubleshoot the Splunk Add-on for Amazon Kinesis Firehose

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters