Collect data from Splunk
Most recent version: v0.0.2
See the changelog of this Listener type here.
Overview
Onum supports integration with Splunk.
The Splunk HEC Listener uses the Splunk HTTP Event Collector (HEC) API. The Listener receives events from Splunk forwarders or any client using the HEC protocol and forwards them to the processing Pipeline in Onum. These are the endpoints supported:
/services/collector
POST
JSON formatted events
/services/collector/raw
POST
Raw text events (batched by newline)
/services/collector/health
POST
Health check endpoint
If your source does not support mutual TLS (mTLS) encryption, use the Splunk HEC no mTLS Listener for TLS encryption without requiring mTLS. We always recommend using mTLS encryption for maximum security.
The steps to set up the Splunk HEC no mTLS Listener are the same as below, so you can follow this article.
Important Considerations Regarding Cloud Deployments
In cloud-based Onum installations, the TLS configuration section of the Listener is not visible and you won't need to enter these values. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If your Listener configuration requires you to manually enter these TLS certificates, you can generate them following the instructions in this article.
If you are defining this Listener in a cloud instance, Onum will automatically provide the Port and TLS configuration (mTLS for the Splunk Listener, TLS for Splunk HEC no mTLS Listener).
In cloud deployments, these Listeners have an additional step in their creation process: Network configuration. Use these details to configure your data source to communicate with Onum. Click Download certificate to get the required certificate for the connection. You can also download it from the Listener details once it is created.
When configuring a Listener in a cloud tenant, the port will always be 443. In on-prem deployments, the selected port must fall within the range of 1024 to 10000.
In cloud deployments, endpoints are created in Onum's DNS. This process is usually fast, and Listeners are normally available immediately. However, note that this may last up to 24-48 hours, depending on your organization's DNS configuration.
Your data input must use the Server Name Indication (SNI) method, which means it must send its hostname in the TLS authentication process. If SNI is not used, the certificate routing will fail, and data will not be received, even if the certificate is valid.
Select Splunk HEC from the list of Listener types and click Configuration to start.
Splunk Setup
You will need to create the required Splunk HEC token(s) for API authentication. Learn how to create and manage Splunk HEC tokens in this article.
Onum Setup
Log in to your Onum tenant and click Listeners > New listener.
Double-click the Splunk HEC Listener.
Enter a Name* for the new Listener. Optionally, add a Description and some Tags to identify the Listener.
Enter the Port* you to listen on. The default value is 8088.
Then choose the required authentication method:
Single API key - Choose this option if you're using a single endpoint. Select your Splunk HEC token from the list of secrets or create a new one. To create a new secret, click the Select an API Key field and select New secret. In the window that appears, give your secret a Name and turn off the Expiration date toggle if not needed. Then, click Add new value and paste the token you generated. Click Save when you're done.
Multiple API keys - Choose this option if you're using several endpoints and want to use only a single Listener. Click + Add API key and add as many Splunk HEC tokens as required. For each of them, enter the Token name and click Select API key to choose it from the list or secrets or create it.
Learn more about secrets in this article.
In the Advanced configuration section, you can activate the following options:
In cloud-based Onum installations, the TLS configuration section is not visible. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration.
If you see this section, you must enter the required Certificate, Private key and CA Chain. Learn how to generate these self-signed certificates in this article. Once you have them, click New secret in each field and add the corresponding values.
Now there are two possible scenarios:
If you didn't enter your TLS certificates, when you click Create listener you'll see the Network configuration screen, which shows the Address and Port needed to communicate with Onum. Here you will download the certificate (see the steps after creation to do this).
You can access all this information in the Listener details after creation, so don't worry.
If you entered the TLS certificates, you'll go directly to the Labels when you eventually click create Listener.
Enable TLS - Activate this option and configure the following settings if you need to configure TLS authentication:
Select minimum TLS version* - Choose the required TLS version from the list.
Select type* - Choose the required client authentication type from the list.
Select certificate* - Select your certificate from the list of secrets or create a new one.
Select private key* - Select your private key from the list of secrets or create a new one.
Skip TLS validations - Decide whether to skip TLS validation or not.
Enable Acknowledgment - The Splunk HEC acknowledgement endpoint (
/services/collector/ack) allows clients to verify if events were successfully indexed by checking the status ofackIDs. However, keep in mind that the response lists all event IDs from the acknowledgment request, regardless of whether the events were received or processed.
Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.
Learn more about labels in this article.
Click Create listener when you're done.
Last updated
Was this helpful?