Splunk Cloud
  • 04 Nov 2020
  • 2 Minutes To Read
  • Contributors
  • Print
  • Dark

Splunk Cloud

  • Print
  • Dark

This article describes how to configure Splunk Cloud. It is a software product that enables you to search, analyze, and view the data gathered from the components of your IT infrastructure or business. Splunk collects data from websites, applications, sensors, devices, and so on. You can configure Splunk Cloud to have full visibility of your Perimeter 81 activities.

  • Setting up the Splunk Event Collector
  • Configuring the Management Platform
  • Handling possible error codes

Setting up the Splunk Event Collector

The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format. This process eliminates the need for a Splunk forwarder when you send application events.
After you enable HEC, you can use HEC tokens in your app to send data to HEC. You do not need to include Splunk credentials in your app or supported files.

Enabling an HTTP Event Collector

According to official Splunk documentation, Managed Splunk Cloud customers may need to contact Splunk support to perform this step.

  1. Click Settings > Data Inputs .
  2. Click HTTP Event Collector.
  3. Click Global Settings.
  4. In the All Tokens toggle button, select Enabled.
  5. To have HEC listen and communicate over HTTPS rather than HTTP, click the Enable SSL checkbox (This is enabled by default in Splunk Cloud and can be disabled in Splunk Enterprise only).
  6. Click Save.

Creating an Event Collector Token

  1. Click Settings > Add Data.
  2. Click monitor.
  3. Click HTTP Event Collector.
  4. In the Name field, enter a name for the token.
  5. Make sure indexer acknowledgment is disabled for this token.
  6. Click Next.
  7. Click Review.
  8. Confirm that all settings for the endpoint are what you want.
  9. If so, click Submit.

Configuring the Management Platform

You need to configure the integration from the Perimeter 81 side.

  1. Log in to your Perimeter 81 Management Platform, and navigate to Settings, and select Add at the Splunk row.
  2. Fill in the following information:
  • HEC Host: Insert an appropriate value according to your Splunk tier (replace {hostname} with your Splunk server hostname).

Self service cloud Splunk input-{hostname} ;

Managed cloud Splunk http-inputs-{hostname} (regardless if the actual protocol is http or https);

Enterprise Splunk {hostname}

  • HEC port: 8088 by default - according to what you configured in Splunk
  • Protocol: HTTP/HTTPS (according to what you configured in Splunk).
  • Verify Server SSL Certificate (HTTPS only): If you are using a self-signed certificate disable SSL verification, however, if you are using a CA-signed certificate make sure to enable it.
  • HEC URIFilled automatically
  • Authentication token: Insert the token you generated at Splunk.

3. Select Validate.

Handling possible error codes

The following status codes have particular meaning for all HTTP Event Collector endpoints:

HTTP status code IDHTTP status codeStatus messageAction required
403ForbiddenToken disabledEnable token at Splunk Web.
401UnauthorizedInvalid authorizationPlease make sure you inserted a valid token.
Invalid tokenPlease make sure you inserted a valid token.
500Internal ErrorInternal server errorPlease contact our support team indication the error. We will examine the integration logs and further instruct you.
503Service UnavailableServer is busyThere are too many requests pending in the Splunk server queue. Please try again later.
400Bad RequestData channel is missing

Edit the token at the Splunk Platform and make sure to untick Indexer Acknowledgement.

400Bad Request
Error in handling indexed fields

Please contact our support team indicating the error. We will examine the integration logs and further instruct you.