Onboard GCP in Data Manager
Data Manager helps you quickly set up GCP accounts for data ingestion into your Splunk Cloud deployment.
Logging in and getting started with Data Manager
Complete the following steps to get started:
- Log into Splunk Cloud using Splunk-provided credentials.
- Save the email that contains the credentials. It contains a Forgot Password link, in case you need to reset your password.
- Change your password at the prompt.
- Sign the terms and conditions.
- Start onboarding or take the product tour.
Data Manager walks you through adding existing data sources so that you can monitor and investigate any alerts that impact the security state of your environment. It also helps you to see which services you are ingesting, but not yet using, so that you can expand your security coverage.
Onboarding best practices
When creating a data input for the folders or organization in your GCP deployment, verify that a child folder or project in the same deployment has not yet already been configured in this input or any other input. This can result in data duplication.
Stages of onboarding
Data Manager walks you through various stages of onboarding your GCP accounts.
The onboarding steps are described in detail within Data Manager. The details are not duplicated here.
Onboard a GCP account
Onboarding a GCP account consists of the following stages:
- Configure the GCP prerequisites in the data account.
- Configure the data account, regions, and data sources.
- Create a data ingestion Terraform stack.
Summary of Terraform templates
A high-level summary of Terraform templates follows.
The onboarding steps are described in detail within Data Manager. The details are not duplicated here.
- Splunk provides Terraform templates to set up the data ingestion dataflow job in the project that you want.
- This allows Splunk to read data from Access Transparency Logs and Data Access Logs.
- The template creates an IAM role for each project with the correct permission set will be attached to this service account.
- You apply the templates.
Deploy Terraform templates
Data Manager sets up resources, such as IAM roles for each project that you select for data onboarding.
Deploying templates takes approximately ten minutes.
- Splunk provides a nested stack set template, which takes a couple of minutes to prepare.
- You download the template when the download button is enabled.
- You apply the template to start setting up resources across all the list of GCP projects, for data ingestion into Splunk through the HTTP Event Collector (HEC).
- Data starts flowing within approximately five minutes.
The template preparation period varies depending on the number of data sources you selected during onboarding. After you specify the data sources that need to be onboarded, the backend synchronously creates one HTTP Event Collector (HEC) token for every dataset as part of the final download ingest templates operation.
You see this as a disabled download button in the UI until all the tokens are created. If you hover over the download button, you see the message regarding template preparation. There is also an information banner with status and tips. The template download button is enabled when all tokens are created for data ingestion through the Firehose.
Click Finish to navigate to the Data Management home page and see your data input.
GCP prerequisites for Data Manager | About Terraform templates |
This documentation applies to the following versions of Data Manager: 1.8.2
Feedback submitted, thanks!