Splunk® User Behavior Analytics Kafka Ingestion App

Splunk UBA Kafka Ingestion App

Requirements for Kafka data ingestion

Verify the requirements and compatible software versions for using Kafka data ingestion.

Requirements for using the Splunk UBA Kafka Ingestion App

You must meet the following requirements to send data from Splunk Enterprise directly to Kafka:

Area of requirement Details
Account and privileges The account being used to install the Splunk UBA Kafka Ingestion App must have admin privileges on Splunk Enterprise.
hostname The hostname must be resolved by the indexers. IP address does not suffice.
Indexers and search heads If you are a Splunk Enterprise on-premises customer, create a DNS record for UBA so that the indexers can resolve the hostname of the UBA instance and search heads are able to resolve the hostnames of the Splunk UBA nodes

If you are a Splunk Cloud Platform customer, create a public DNS record for UBA so that Splunk Cloud indexers can resolve the hostname of the UBA instance.

All indexers and search heads must not be on the same subnet that Splunk UBA uses for its containers.

By default, Docker containers in Splunk UBA use IP addresses in the 172.x.x.x range. Change the IP address of your Docker containers in Administer Splunk User Behavior Analytics if you need to modify this IP range.

Network Time Protocol (NTP) Configure NTP in the Splunk Enterprise environment so that the time on Splunk Enterprise is the same as the time in Splunk UBA.
Port 9093 Make sure port 9093 is open on all nodes where the Kafka broker is running so the indexers on Splunk Enterprise can send data to Kafka in Splunk UBA. View the /opt/caspida/conf/deployment/caspida-deployment.conf file to see where services are running in your Splunk UBA deployment.


Compatible Splunk platform and Splunk UBA versions

Verify the compatibility requirements for the Splunk platform, Splunk UBA, and the Splunk UBA Kafka Ingestion App. See the Splunk UBA product compatibility matrix in the Plan and Scale your Splunk UBA Deployment manual.

Splunk Enterprise must be installed on a supported Linux operating system.

If you are using an incompatible version of the Splunk UBA Kafka Ingestion App, you will see error messages beginning with the following text in the Splunk Data Source Search Status Check: 

HTTP 400 - Error in 'sendtoubakafka' command: (ValueError)
Last modified on 16 September, 2024
Send data from the Splunk platform directly to Kafka   Install the Splunk UBA Kafka Ingestion App

This documentation applies to the following versions of Splunk® User Behavior Analytics Kafka Ingestion App: 1.4.5

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters