Configure Amazon Kinesis Firehose to send data to the Splunk platform
Prerequisite
Before you configure Amazon Kinesis Firehose to send data to the Splunk platform, go to the AWS Management Console and configure Amazon Kinesis Firehose to send data to the Splunk platform. See Choose Splunk for Your Destination in the AWS documentation for step-by-step instructions. Repeat this process for each token that you configured in the HTTP event collector, or that Splunk Support configured for you.
When prompted during the configuration, enter the following information:
Field in Amazon Kinesis Firehose configuration page | Value |
---|---|
Destination | Select Splunk. |
Splunk cluster endpoint | If you are on a single-instance Splunk Enterprise deployment, enter the HEC endpoint URL and port. For example, if your HEC endpoint is https://10.130.33.112:8088 , enter https://10.130.33.112:8088 .
|
Splunk endpoint type | Select raw unless you are using an AWS Lambda function to format your events for the HTTP event collector event endpoint, in which case you should choose event. |
Authentication token | Enter your HTTP event collector token that you configured or received from Splunk Support. |
S3 backup mode | Best practice: Backup all events to S3 until you have validated that events are fully processed by the Splunk platform and available in Splunk searches. You can adjust this setting after you have verified data is searchable in the Splunk platform. |
After you configure Amazon Kinesis Firehose to send data to the Splunk platform, go to the Splunk search page and search for the source types of the data you are collecting. Verify that the data is searchable in the Splunk platform before you adjust the S3 backup mode setting in the AWS Management Console.
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1
Feedback submitted, thanks!