How to Onboard Data into Splunk via the Web Interface
Are you looking to onboard data into Splunk but feeling like you don’t have the tech savvy to do so? Do you sit and think, if only I knew my way around the command line interface I could get this data into Splunk? Or, maybe you’re new to using Splunk and want to test out its monsterous capabilities. In this tutorial I will be going over how to onboard log data into Splunk via the web interface using your Splunk all in one system.
I’ve created both a blog post and screencast, which you can view below:
At the home launcher screen, when you first log into Splunk, there are a few options as far as how you want to onboard your data.
In the center, there’s a huge button that says “Add Data”. You can either click that or go into settings and you’ll see “Add Data”, or you can look for data inputs.
Clicking data inputs will always give more options, so I would recommend going with that.
Once you choose data inputs, you will be brought to a new screen. Using an all in one Splunk system, the file is likely located on that box. So, you will want to select “Add New” next to “Files and Directories”, as shown below:
From there, you can either select the file you want to onboard by selecting browse, or you can manually type in the path. Once you select the file there’s an option for indexing the data once, or you can continuously monitor the path. That way, if any changes are made to the file, it will automatically be indexed into Splunk. Choose what best suites your needs and select next.
Now you will want to define the data. Defining the data is important. You will want to keep your data organized so it’s easily searchable and, if there are apps or TA’s (technology add-ons) available for your data type, you can easily have field extractions applied or have pretty dashboards available. That being said, select the sourcetype you would like to use.
If these are proprietary logs you can enter any sourcetype you would like. However, if these are logs that have an app or TA available, you will want to use the sourcetype that is recommended by that.
Next, select the app context. If there is an app available for this log type, and you have that installed, select that application. Otherwise, you can select “Search and Reporting”.
Now you’ll want to define the host. This should be the device name of where the logs originated. If the logs are from a firewall, then you would set the firewall hostname as the host. As shown below, I have mine set to Cisco Firewall:
The final step is to select the index. Remember, you want to keep your logs organized and you want to know where you want this data to go. If you already have an index you would like the logs to go into you can select that.
So, again, if these are firewall logs, maybe put them where all the other network device logs are going. Otherwise you can create a new index.
Once you review and click submit, you will verify your configuration settings. If everything looks good, you are all set.
Congratulations!!! You have onboarded data like a pro and you can now search these logs.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.