Data Onboarding In Splunk
Hi guys!
Today we are back with another interesting topic of Splunk which is Data onboarding. Data onboarding basically is a process of forwarding any offline or online data to the Splunk environment for analyzing and visualizing that data according to our requirement, through a search head with the help of SPL query.
Follow this schematic diagram to get a overview of this blog.
So lets start step by step, hopefully this will help you to build another block to your Splunk knowledge.
Step 1:
At first a universal forwarder(UF) should be installed on that system from where data is going to be fetched. Then go to the back-end of your UF server and go to this following path.
$SPLUNK_HOME$/etc/system/local
Then create a file named “inputs.conf”,and this configuration file will contain the following stanza.
[monitor:// <absolute path of the file which you want to onboard>] index=<index name> sourcetype=<sourcetype name>
Step 2:
Then go to this following path in your UF to configure “outputs.conf”
$SPLUNK_HOME$/bin
And then write the following command.
./splunk add forward-server <IP of Indexer>:9997
Then it will ask for the Username and Password of your UF.
NOTE: If you want to forward the data to Heavy forwarder(HF)
then you need to assign IP of HF, but in our case we are
forwarding the data to Indexer(IDX) directly that's why
we are assigning IP of IDX.
Step 3:
Now go to the GUI of your indexer and Click on Setting>forwarding and receiving>new receiving port>add new
And then in the section of configure receiving, put “9997”, save and proceed further.
Step 4:
Now go to the GUI of indexer . To create new index go to this following path Setting>Indexes>New index
Note : You don’t have to create the index for this time because we are onboarding the data in the default index ( main ) of Splunk. If you want to on-board the data in a custom index then follow this step.
Step 5:
Now go the GUI of your Search Head(SH), click Setting>Distributed Search>search peers>add new
Peer URI:https://<IDX IP>:8089 Remote username:username of IDX Remote password:password of IDX Confirm password:password of IDX
Click save and go ahead.
Step 6:
In this step at first restart your Indexer and then restart your UF.
Finally go to the GUI of your SH and search with your index and sourcetype name and you can see the data in Splunk.
That’s it, I hope you have understood the concept of data onboarding in Splunk.
Keep following our blog, learn and stay tuned with us. Next time we will come with another interesting topic on Splunk until then good bye.
Happy Splunking!!