Data Onboarding In Splunk

Data Onboarding In Splunk

Hi guys!
Today we are back with another interesting topic of Splunk which is Data onboarding. Data onboarding basically is a process of forwarding any offline or online data to the Splunk environment for analyzing and visualizing that data according to our requirement, through a search head with the help of SPL query.
nnnnnFollow this schematic diagram to get a overview of this blog.

So lets start step by step, hopefully this will help you to build another block to your Splunk knowledge.

Step 1:
At first a universal forwarder(UF) should be installed on that system from where data is going to be fetched. Then go to the back-end of your UF server and go to this following path.

$SPLUNK_HOME$/etc/system/local

Then create a file named “inputs.conf”,and this configuration file will contain the following stanza.

1

[monitor:// <absolute path of the file which you want to onboard>]
index=<index name>
sourcetype=<sourcetype name>

2

Step 2:
Then go to this following path in your UF to configure “outputs.conf

$SPLUNK_HOME$/bin

And then write the following command.

./splunk add forward-server <IP of Indexer>:9997

Then it will ask for the Username and Password of your UF.

ssssss

NOTE: If you want to forward the data to Heavy forwarder(HF) 
then you need to assign IP of HF, but in our case we are 
forwarding the data to Indexer(IDX) directly that's why 
we are assigning IP of IDX.

Step 3:
Now go to the GUI of your indexer and Click on Setting>forwarding and receiving>new receiving port>add new

4
And then in the section of configure receiving, put  “9997”, save and proceed further.

5

Step 4:
Now go to the GUI of indexer . To create new index go to this following path Setting>Indexes>New index

new2

Note : You don’t have to create the index for this time because we are onboarding the data in the default index ( main ) of Splunk. If you want to on-board the data in a custom index then follow this step.

You can also know about :  Splunk diag

Step 5:
Now go the GUI of your Search Head(SH), click Setting>Distributed Search>search peers>add new

Peer URI:https://<IDX IP>:8089
Remote username:username of IDX
Remote password:password of IDX
Confirm password:password of IDX

Click save and go ahead.

7
Step 6:
In this step at first restart your Indexer and then restart your UF.
Finally go to the GUI of your SH and search with your index and sourcetype name and you can see the data in Splunk.
8

That’s it, I hope you have understood the concept of data onboarding in Splunk.

Keep following our blog, learn and stay tuned with us. Next time we will come with another interesting topic on Splunk until then good bye.

Happy Splunking!!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.