Splunk® Data Stream Processor

Install and administer the Data Stream Processor

DSP 1.2.1 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Configure your Splunk environment to monitor DSP logs

You can ingest DSP log files into your Splunk environment and use Splunk software to analyze the logs.

To get started analyzing the health of your DSP deployment with Splunk software you must configure DSP to send the log files and you must configure your Splunk environment to properly receive the log files.

The Splunk App for DSP includes a default configuration. The defaults can be adjusted to suit your deployment. The configurations may need to be distributed to other Splunk components for distributed environments.

Configure Splunk Enterprise or Splunk Cloud Platform to receive DSP log files

Before sending DSP log files to Splunk Enterprise or Splunk Cloud Platform, you must configure your Splunk environment to properly receive the log file data.

Prerequisites

You will need a Splunk instance with HEC enabled and a valid HEC token. Your HEC token must be configured to send data to an index. For information about how to enable HEC and create a HEC token, see Use the HTTP Event Collector in Splunk Web.

Make a note of the following details from your Splunk HEC configuration:

  • Your Splunk Enterprise or Splunk Cloud Platform URL or IP address.
  • The port assigned to Splunk HEC.
  • The HTTP protocol used by Splunk HEC (HTTP or HTTPS).
  • The HEC token from your Splunk HEC configuration.
  • The Splunk index used to receive the log data.

Set a target index for DSP logs

You must define an index in Splunk Enterprise or Splunk Cloud Platform for your DSP log data. The default index for the DSP log data is _dsp_internal. It is best practice for Splunk Enterprise to use the default index, but depending on your needs and local configuration, you can define a custom index in the indexes.conf file. If you are using Splunk Cloud Platform, you must define a custom index.

See Create custom indexes for information about creating custom indexes in Splunk Enterprise. See Manage Splunk Cloud Platform indexes for information about creating indexes in Splunk Cloud Platform.

If you define a custom index, you must edit the macros.conf file in the Splunk App for DSP and update the definition for DSP metrics index in the following stanza. 

[dsp_logs_index]
definition = index=_dsp_internal
iseval = 0

The index defined in macros.conf must match the target index you designate in your Splunk Enterprise or Splunk Cloud Platform configuration

To learn more about configuration files, see:

Configure DSP to send log data to the Splunk platform

Once you've configured your Splunk instance to receive DSP logs, you can configure your DSP cluster to start sending log data to the Splunk platform.

  1. Type the following in the working directory of the main node in your DSP cluster:
    1. Set the URL for your HEC-enabled Splunk environment. 
      ./set-config K8S_SPLUNK_ENTERPRISE_SCK_HEC_HOST <your-splunk-host>
    2. Set the port used by your HEC-enabled Splunk environment. 
      ./set-config K8S_SPLUNK_ENTERPRISE_SCK_HEC_PORT <your-splunk-hec-port>
    3. Set the HTTP protocol (HTTP or HTTPS) that your HEC-enabled Splunk environment is using. 
      ./set-config K8S_SPLUNK_ENTERPRISE_SCK_HEC_PROTOCOL <http|https>
    4. Set the SSL certificate verification status. Set to false if SSL is enabled. See Getting your certificates in the Securing Splunk Enterprise manual for more information about creating your own SSL certificates for Splunk Enterprise. 
      ./set-config K8S_SPLUNK_ENTERPRISE_SCK_HEC_INSECURE_HTTPS <true|false>
    5. Set the token that your HEC-enabled Splunk environment is using. 
      ./set-config K8S_SPLUNK_ENTERPRISE_SCK_HEC_TOKEN $(echo -n <your-splunk-hec-token> | base64)

      You cannot send DSP logs to the Splunk platform without your Splunk HEC token.

    6. Set the log index to send log data to. If you are using a custom log index, enter the name of your custom log index instead. 
      ./set-config K8S_SPLUNK_ENTERPRISE_SCK_INDEX <your-splunk-dsp-index>
    7. Enable logs to be sent. 
      ./set-config K8S_SPLUNK_ENTERPRISE_SCK_ENABLED true
  2. After setting the configurations, deploy your changes: 
    ./deploy
  3. Wait for DSP to start sending log data to your Splunk environment.

After some time, DSP starts sending log data to the index that you defined in the [dsp_logs_index] stanza in your Splunk platform configuration settings.

Change how DSP sends log data to the Splunk platform

You can update DSP to send log data to a different Splunk instance or change any of the related settings by re-running the commands described in the previous section. However, before your updated settings can take effect, you must disable and then re-enable log transmission.

  1. Disable log transmission. 
    ./set-config K8S_SPLUNK_ENTERPRISE_SCK_ENABLED false
  2. Deploy your updated settings. 
    ./deploy
  3. Re-enable log transmission. 
    ./set-config K8S_SPLUNK_ENTERPRISE_SCK_ENABLED true
  4. Deploy your updated settings. 
    ./deploy

DSP resumes sending log data to the Splunk platform, using the latest settings that you've specified.

Last modified on 30 September, 2021
Configure your Splunk environment to monitor DSP metrics   Use the Splunk App for DSP to monitor your DSP deployment

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters