Splunk® User Behavior Analytics Kafka Ingestion App

Splunk UBA Kafka Ingestion App

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® User Behavior Analytics Kafka Ingestion App. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Requirements for Kafka data ingestion

Verify the requirements and compatible software versions for using Kafka data ingestion.

Requirements for using the Splunk UBA Kafka Ingestion App

Before you can send data from Splunk Enterprise directly to Kafka, verify the following:

  • The account being used to install the Splunk UBA Kafka Ingestion App must have admin privileges on Splunk Enterprise.
  • Edit the /etc/hosts file in your Splunk Enterprise environment so that all indexers and search heads are able to resolve the host names of the Splunk UBA nodes.
  • All indexers and search heads must not be on the same subnet that Splunk UBA uses for its containers. By default, Docker containers in Splunk UBA use IP addresses in the 172.x.x.x range. See Change the IP address of your Docker containers in Administer Splunk User Behavior Analytics if you need to modify this IP range.
  • Configure NTP in the Splunk Enterprise environment so that the time on Splunk Enterprise is the same as the time in Splunk UBA.
  • Make sure port 9093 is open on all nodes where the Kafka broker is running so the indexers on Splunk Enterprise can send data to Kafka in Splunk UBA. View the /opt/caspida/conf/deployment/caspida-deployment.conf file to see where services are running in your Splunk UBA deployment.

Compatible Splunk platform and Splunk UBA versions

The following table summarizes the compatibility requirements for the Splunk platform, Splunk UBA, and the Splunk UBA Kafka Ingestion App.

Splunk UBA Kafka Ingestion App version Splunk UBA version Splunk Enterprise version Splunk Cloud Platform version
1.4.1 5.0.4 and higher 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0 8.2.x
1.3 5.0.1 and higher 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0 N/A
1.2 5.0 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0 N/A

Splunk Enterprise must be installed on a supported Linux operating system.

If you using an incompatible version of the Splunk UBA Kafka Ingestion App, you will see error messages beginning with the following text in the Splunk Data Source Search Status Check:

HTTP 400 - Error in 'sendtoubakafka' command: (ValueError) 
Last modified on 01 April, 2022
PREVIOUS
Send data from the Splunk platform directly to Kafka
  NEXT
Install the Splunk UBA Kafka Ingestion App

This documentation applies to the following versions of Splunk® User Behavior Analytics Kafka Ingestion App: 1.4.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters