Splunk® SOAR (Cloud)

Administer Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Customize your forwarder configuration

This topic covers customizations or additional configurations you can use when setting up forwarders for your deployment.

Use an HTTP load balancer for your forwarders

It is possible to configure the universal forwarders for your to use an HTTP load balancer.

You may either use Splunk to Splunk (S2S) service over TCP or HTTP forwarders on your deployment, not both. If you already have a forwarder group using the S2S service over TCP, you will need to remove it before you can configure an HTTP forwarder group.

Before you configure an HTTP forwarder group, you will need to obtain an HEC token from your Splunk Enterprise or Splunk Cloud Platform administrator. See Set up and use HTTP Event Collector in Splunk Web in Getting Data In.

To add an HTTP forwarder group, follow these steps:

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Select +New Group.
  3. Select the HTTP forwarder type.

    You cannot create an HTTP forwarder group if you have an existing TCP forwarder group.

  4. In the Add a new forwarder group dialog do the following:
    1. In the Name field, type a name for your forwarder group. This name is displayed on the Forwarder Settings page.
    2. Add your HEC token to the HEC token field.
    3. In the Indexer field, add the address for your for your HTTP load balancer. HTTP forwarders can only have a single indexer set.
    4. Select the Data types you want to ingest into Splunk Cloud Platform or Splunk Enterprise.
  5. If you do not want to test the connection before the configuration is saved, check the Skip connection check box.
  6. Make sure the Enabled slider button is in the on position.
  7. Click Save.

After you complete these steps, data will begin to stream from to your Splunk Enterprise deployment through your load balancer.

Adding TLS configuration to your HTTP forwarder group

You can add TLS certificate configuration for a HTTP forwarder group the same way as you would for a TCP forwarder group.

  1. On the Forwarder Settings page, click the edit icon on the right-hand end of the forwarder group's entry.
  2. Click the Certificate configuration tab.
  3. Add your client certificate bundle either by dragging and dropping it onto the box provided, or by clicking the box and navigating to the bundle on your filesystem.
  4. (Conditional) If your Client certificate bundle includes an encrypted private key, type your client certificate password in the Client certificate password box.
  5. Add your TLS certificate by dragging and dropping the certificate onto the box provided, or by clicking the box and navigating to the certificate on your filesystem.
  6. (Optional) Select options as needed:
    • Verify server certificate
    • Verify server name
    • Use client SSL compression
  7. (Optional) If you use common names or Subject Alt names for your servers, add them as comma-separated lists to the Allowed common names or Allowed Subject Alt names fields.
  8. Click Save.

For more information on configuring universal forwarders to use HTTP, see Configure the universal forwarder to send data over HTTP in the Forwarder Manual.

Last modified on 18 September, 2024
Create custom CEF fields in   Enable clickable URLs in CEF data

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters