Data Manager

User Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Data Manager. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Onboard GCP in Data Manager

Data Manager helps you quickly set up GCP accounts for data ingestion into your Splunk Cloud deployment.

Logging in and getting started with Data Manager

Complete the following steps to get started:

  1. Log into Splunk Cloud using Splunk-provided credentials.
  2. Save the email that contains the credentials. It contains a Forgot Password link, in case you need to reset your password.
  3. Change your password at the prompt.
  4. Sign the terms and conditions.
  5. Start onboarding or take the product tour.

Data Manager walks you through adding existing data sources so that you can monitor and investigate any alerts that impact the security state of your environment. It also helps you to see which services you are ingesting, but not yet using, so that you can expand your security coverage.

Onboarding best practices

When creating a data input for the folders or organization in your GCP deployment, verify that a child folder or project in the same deployment has not yet already been configured in this input or any other input. This can result in data duplication.

Stages of onboarding

Data Manager walks you through various stages of onboarding your GCP accounts.

The onboarding steps are described in detail within Data Manager. The details are not duplicated here.

Onboard a GCP account

Onboarding a GCP account consists of the following stages:

  1. Configure the GCP prerequisites in the data account.
  2. Configure the data account, regions, and data sources.
  3. Create a data ingestion Terraform stack.

This image shows an example of a GCP account onboarding flow.

Summary of Terraform templates

A high-level summary of Terraform templates follows.

The onboarding steps are described in detail within Data Manager. The details are not duplicated here.

  1. Splunk provides Terraform templates to set up the data ingestion dataflow job in the project that you want.
    1. This allows Splunk to read data from Access Transparency Logs and Data Access Logs.
    2. The template creates an IAM role for each project with the correct permission set will be attached to this service account.
  2. You apply the templates.

Deploy Terraform templates

Data Manager sets up resources, such as IAM roles for each project that you select for data onboarding.

Deploying templates takes approximately ten minutes.

  1. Splunk provides a nested stack set template, which takes a couple of minutes to prepare.
  2. You download the template when the download button is enabled.
  3. You apply the template to start setting up resources across all the list of GCP projects, for data ingestion into Splunk through the HTTP Event Collector (HEC).
  4. Data starts flowing within approximately five minutes.

The template preparation period varies depending on the number of data sources you selected during onboarding. After you specify the data sources that need to be onboarded, the backend synchronously creates one HTTP Event Collector (HEC) token for every dataset as part of the final download ingest templates operation.

You see this as a disabled download button in the UI until all the tokens are created. If you hover over the download button, you see the message regarding template preparation. There is also an information banner with status and tips. The template download button is enabled when all tokens are created for data ingestion through the Firehose.

Click Finish to navigate to the Data Management home page and see your data input.

Last modified on 20 March, 2023
GCP prerequisites for Data Manager
About Terraform templates

This documentation applies to the following versions of Data Manager: 1.8.2

Was this documentation topic helpful?

You must be logged into in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters