Configure SC4S to send syslog data to DSP
To get syslog data from Splunk Connect for Syslog (SC4S) into a data pipeline in the , you must configure your SC4S instance to send the data to DSP. You can then use the Splunk DSP Firehose source function to get this syslog data into a DSP pipeline.
Before you can use SC4S as a data source, you must have a DSP HTTP Event Collector (HEC) token for allowing SC4S to send data to DSP. See Create and manage DSP HEC tokens through the Splunk Cloud Services CLI for more information. You'll need the
<token> value that gets returned when the token is created.
Make sure that the SC4S disk buffer configuration is correctly set up to minimize the number of lost events if the connection to DSP is temporarily unavailable. See Data Resilience - Local Disk Buffer Configuration and SC4S Disk Buffer Configuration for more information on SC4S disk buffering.
- To configure your SC4S instance to use your DSP HEC token, set the following environment variables:
<DSP_HOST>is the IP address of your DSP master node.
SPLUNK_HEC_TOKENto the DSP HEC token value. This is the
<token>value that gets returned when you create the token using the instructions in Create and manage DSP HEC tokens through the Splunk Cloud Services CLI.
- Restart your SC4S workflow.
SC4S starts sending syslog data to DSP. You can now use SC4S as a data source by creating a pipeline that starts with the Splunk DSP Firehose source function. For instructions on how to build a data pipeline, see the Building a pipeline chapter in the Use the Data Stream Processor manual. For information about the source function, see Get data from Splunk DSP Firehose in the Function Reference manual.
Connecting syslog data sources to your pipeline
Connecting multiple data sources to your pipeline
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1