Install and configure the Splunk Add-on for Amazon Kinesis Firehose on a managed Splunk Cloud deployment
Follow these steps to install and configure the Splunk Add-on for Amazon Kinesis Firehose in your managed Splunk Cloud deployment.
Install and configure on a managed Splunk Cloud deployment
If your managed Splunk Cloud deployment has a search head cluster, Splunk Support must complete this configuration. You can do this through the Splunk Support Portal.
If your managed Splunk Cloud instance does not have a search head cluster:
- Select an index to collect your Amazon Kinesis Firehose data. Ensure that this index is enabled and active. Sending data to a disabled or deleted index results in dropped events.
- Install the add-on onto your Splunk Cloud deployment.
- Submit a case to Splunk Support. In the case, ask Splunk Support to enable HEC and create or modify an Elastic Load Balancer to use with this add-on.
- Once Splunk Support performs setup, confirm that HEC is enabled and your Elastic Load Balancer is ready. Splunk Support gives you a URL to use for your HEC endpoint. It should match this format:
https://http-inputs-firehose-<your unique cloud hostname here>.splunkcloud.com:443.
- Create a HEC token with indexer acknowledgments enabled. For step-by-step instructions, see Configure an HTTP Event Collector token. During the configuration:
- Specify the Source type for your incoming data.
- Select the Index to which Amazon Kinesis Firehose will send data.
- Check the box next to Enable indexer acknowledgement.
- Save the token that Splunk Web provides. You need this token when you configure Amazon Kinesis Firehose.
- Repeat steps 5 and 6 for each source type from which you want to collect data. Each source type requires a unique HEC token.
Create a HEC token
To use HEC, you must configure at least one token.
- Click Settings > Add Data.
- Click monitor.
- Click HTTP Event Collector.
- In the Name field, enter a name for the token.
- (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
- (Optional) In the Description field, enter a description for the input.
- (Optional) If you want to enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.
- Click Next.
- (Optional) Make edits to source type and confirm the index where you want HEC events to be stored.
- Click Review.
- If all settings are what you want, click Submit. Otherwise, click < to make changes.
- (Optional) Copy the token value that Splunk Web displays and paste it into another document for reference later.
See the "Additional resources" topic at the end of this manual for more information about HEC.
Configure Amazon Web Services to collect data
Install the Splunk Add-on for AWS in a Splunk Cloud deployment
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10