Splunk Cloud
  • 29 Apr 2024
  • 2 Minutes to read
  • Contributors

    Splunk Cloud


      Article summary

      Understanding Data Exporting to Splunk Cloud

      This article describes how to configure Splunk Cloud. It is a software product that enables you to search, analyze, and view the data gathered from the components of your IT infrastructure or business. Splunk collects data from websites, applications, sensors, devices, and so on. You can configure Splunk Cloud to have full visibility of your Harmony SASE activities.

      Setting up the Splunk Event Collector

      The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format. This process eliminates the need for a Splunk forwarder when you send application events.
      After you enable HEC, you can use HEC tokens in your app to send data to HEC. You do not need to include Splunk credentials in your app or supported files.

      Enabling an HTTP Event Collector


      According to official Splunk documentation, Managed Splunk Cloud customers may need to contact Splunk support to perform this step.

      1. Click Settings > Data Inputs .
      2. Click HTTP Event Collector.
      3. Click Global Settings.
        httpsdocssplunkcomimagesbb863HTTPECGlobalSettings.png
      4. In the All Tokens toggle button, select Enabled.
      5. To have HEC listen and communicate over HTTPS rather than HTTP, click the Enable SSL checkbox (This is enabled by default in Splunk Cloud and can be disabled in Splunk Enterprise only).
      6. Click Save.

      Creating an Event Collector Token

      1. Click Settings > Add Data.
      2. Click monitor.
      3. Click HTTP Event Collector.
      4. In the Name field, enter a name for the token.
      5. Make sure indexer acknowledgment is disabled for this token.
      6. Click Next.
      7. Click Review.
      8. Confirm that all settings for the endpoint are what you want.
      9. If so, click Submit.

      Configuring the Management Platform

      You need to configure the integration from the Harmony SASE side.

      1. Log in to your Harmony SASE Management Platform, and navigate to Settings, and select Add at the Splunk row.
        360008203540ScreenShot2020-01-21at120748.png
      2. Fill in the following information:
        360008351980ScreenShot2020-01-26at114214.png
      • HEC Host: Enter an appropriate value according to your Splunk tier (replace {hostname} with your Splunk server hostname).

      Splunk Cloud (paid):inputs-<host>

      Splunk Cloud (free-trial):<host> ORinputs.<host>

      • HEC port: 8088 for Splunk Cloud free trial and 443 for Splunk Cloud paid
      • Protocol: HTTP for a free trial and HTTPS for paid.
      • Verify Server SSL Certificate (HTTPS only): If you are using a self-signed certificate disable SSL verification, however, if you are using a CA-signed certificate make sure to enable it.
      • HEC URIFilled automatically
      • Authentication token: Enter the token you generated at Splunk.

      3. Select Validate.

      Recommendations

      • Regularly review the integration settings to ensure continuous data flow between Harmony SASE and Splunk Cloud.
      • In case of any error codes, refer to the provided error messages for guidance on resolving the issues

      Troubleshooting

      The following status codes have particular meaning for all HTTP Event Collector endpoints:

      HTTP status code IDHTTP status codeStatus messageAction required
      200OKSuccessNone
      403ForbiddenToken disabledEnable token at Splunk Web.
      401UnauthorizedInvalid authorizationPlease make sure you entered a valid token.
      403ForbiddenInvalid tokenPlease make sure you entered a valid token.
      500Internal ErrorInternal server errorPlease contact our support team indication the error. We will examine the integration logs and further instruct you.
      503Service UnavailableServer is busyThere are too many requests pending in the Splunk server queue. Please try again later.
      400Bad RequestData channel is missing

      Edit the token at the Splunk Platform and make sure to untick Indexer Acknowledgement.

      400Bad RequestError in handling indexed fields

      Please contact our support team indicating the error. We will examine the integration logs and further instruct you.


      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com


      Was this article helpful?