/
Configuring Splunk Destination
Document toolboxDocument toolbox

Configuring Splunk Destination

Owned by Shirly Tsang
Aug 13, 2021

After you set up your Legacy Data Connector virtual appliance, you must set up certain configurations so the Legacy Data Connector can gather relevant information from the Grid members, and then send the data to Splunk.
The following are required to configure a Splunk destination:

  • Legacy Data Connector version 2.0 and later
  • Security Ecosystem license installed on your NIOS Grid, if the Grid is running version NIOS 7.3 or later.

To configure the Legacy Data Connector to send DNS data to a Splunk destination, you can log in to the Data Connector CLI and complete the following:

  1. Add one or more Splunk indexers to which the Legacy Data Connector sends DNS data. Enter a valid indexer IP address and (optionally) enter the indexer port number between 1 and 65536. The default indexer port number is 9997. If you do not specify the port number in this step, you can configure it later using the set port <number> command.
    Run the following command to add Splunk indexers: 

    data.destination.splunk > add indexer <address>[:optional_port]

    Example: 

    data.destination.splunk > add indexer 10.1.1.0

    ok

    data.destination.splunk > add indexer 10.1.1.2

    ok

  2. Specify the index name where the DNS data will be saved. You can get the index name from your Splunk administrator. Run the following command to specify the index name: 

    data.destination.splunk > set indexname <string>

    Example:

    data.destination.splunk > set indexname xyz
  3. Optionally, specify the Splunk sourcetype. The Splunk sourcetype is used to tag DNS data. The default sourcetype is ib:dns:captures. Run the following command:
    data.destination.splunk > set sourcetype <string> 
    Example:

    data.destination.splunk > set sourcetype ib:dns:captures 

  4. Upload the Certification Authority bundle in .PEM format which is used to authenticate Splunk forwarder traffic with Splunk indexers. You can get the Certification Authority bundle from your Splunk administrator. Run the following command to import the Certification Authority bundle from a SCP server or an FTP server:
    data.destination.splunk > cacertificate import <scp|ftp>://loginname@serverIP:[port:]path
    Example:
    data.destination.splunk > cacertificate import scp://root@10.2.1.1:999/DB1/
  5. Generate a certificate request in .PEM format. This certificate request must be signed by the third-party Certification Authority to get a Forwarder Certificate. Run the following command:
    data.destination.splunk > certificate request 
    Generating Forwarder Private key... Done

    Below is Certificate Request.
    Please pass it to your Certification Authority for signing to get Forwarder Certificate.
    -----BEGIN CERTIFICATE REQUEST-----
    CUEybjcJD/4+Q8cSHmMU7VOpp1VEs9W4Fwi5QHtn0/zz4a2bEIlJ/
    -----END CERTIFICATE REQUEST-----
    ok

    You must send the generated certificate request to the Certification Authority for signing and get the Forwarder Certificate. 

  6. Upload the Forwarder Certificate signed by the third-party Certification Authority. Run the following command to import the Forwarder Certificate from a SCP server or an FTP server:

    data.destination.splunk > certificate import <scp|ftp>://loginname@serverIP:[port:]path 

    Example:

    data.destination.splunk > certificate import scp://root@10.2.1.1:999/DC2/
  7. Change the default output mode for the Splunk output. By default, the Splunk output mode is set to 'disabled'. You can change the Splunk output mode to 'forward' only after you have configured all the above parameters. Run the following command to change the default output mode:
    data.destination.splunk > set mode [forward|hold|disabled]

    Example:

    data.destination.splunk > set mode forward

    Data will start transmitting immediately
    ok

    For information about changing the output mode, see Changing the Destination Mode.

  8. Optionally, configure additional parameters to improve the performance of the Legacy Data Connector:

    Note

    For more information about these parameters, refer to the Splunk documentation.

    1. Parallelization settings: Set a value to allow concurrent data processing pipelines on Splunk indexers and forwarders. The setting allows multiple data streams to be processed by using additional CPU cores, thus accelerating data parsing. Note that the queries per second will be impacted negatively when the parallelization value is increased. The default value is 2.
      data.destination.splunk > set parallelPipeLines [1|2]

      Example:
      data.destination.splunk > set parallelPipeLines 2
      Ok

    2. User acknowledgement: Set it to on if you want the Splunk forwarder to wait for an acknowledgement from the Splunk indexer that the query has been received. The default value is off.
      data.destination.splunk > set useACK [on|off]

      Example:
      data.destination.splunk > set useACK on
      ok
      data.destination.splunk > useAck
      Splunk useAck is Enabled

    3. Maximum queue size: Set a size to control the number of events that can be stored in memory at any point in time. If the connection between the Splunk forwarder and the indexer goes down, the forwarder fills up this the queue with ready-to-send data. The default value is 128 MB.
      data.destination.splunk > set maxQueueSize  [<integer>|<integer>[KB|MB|GB]|auto]

      Example:
      data.destination.splunk > set maxQueueSize 128MB
      ok

    4. Maximum KBps: Set the maximum speed, in kilobytes per second, that the incoming data should be processed. Use this setting to control the CPU load while indexing. The default value is 0 (unlimited).
      data.destination.splunk > set maxKBps <integer>

      Example:
      data.destination.splunk > set maxKBps 2048
      ok



Related content