docs: update getting-started-splunk-setup.md

[jenworthington]

I can't quite figure out how the customer is supposed to use this. It reads as steps but they don't seem like actual guided tasks. Is it more of a best practices topic or an overview? Or if it is numbered steps/process, then maybe we add links to each step? I'd love to get your thoughts and maybe we can discuss in our 1:1

[mstopa-splunk]

hi @jenworthington sure, that's what this section is about:

Topic: how to setup your Splunk instance to work with SC4S

Steps:

1. Create default indexes in Splunk
2. Set up the Splunk HTTP Event Collector

These are the two things that must be done to ensure SC4S-Splunk connection.

Ad 1 Indexes
You can use your custom set of indexes. But make sure that all of them, as well as the default set, are created in Splunk, else you will miss events processed by SC4S

Ad 2 HTTP event collector

• Refer to Splunk docs to see how to set it up
• But here are best practices to avoid problems:
  a. put HEC endpoints of your indexers behind a load balancer. Use native syslog-ng load balancing or, preferably, an external load balancer
  b. don't use an intermediate tier of HWFs
  c. make sure that the HEC token has permissions to write in the indexes that you'll need
  d. make sure that you either don't put any "Selected Indexes" or you carefully keep this list up to date
  e. If you're not using TLS on SC4S, turn it off in Splunk's HEC token too.

[mstopa-splunk]

partially solves #2358

[mstopa-splunk]

@jenworthington can you work on the new file docs/gettingstarted/getting-started-splunk-setup-new.md ? I will replace the old one with this one when we finish

[rjha-splunk]

Please check the comment.

[mstopa-splunk]

@rjha-splunk I left the file that you saw for reference for Jen, but please check docs/gettingstarted/getting-started-splunk-setup-new.md instead. It will replace the old one completely

[jenworthington]

Thanks for the new suggestions for structure, it was really helpful. I think I've captured all of the requested changes, take a look and let me know, happy to work on this one some more as needed.

[mstopa-splunk]

It's a tricky one: SC4S will process syslog regardless Splunk. But if Splunk is not correctly set up, output from SC4S won't be correctly indexed by Splunk. Can me make it more like: "to ensure proper integration/collaboration/setup of SC4S and Splunk" kind of thing?

[mstopa-splunk]

@jenworthington please check this comment

[jenworthington]

How about "To ensure proper integration for SC4S and Splunk, perform the following tasks in your Splunk instance:"

[mstopa-splunk]

"Create a load balancing mechanism" is a subsection to "Configure your HTTP event collector"

[mstopa-splunk]

@jenworthington I think it's better to remove point 3 as a subsection of point 2

[jenworthington]

done

[mstopa-splunk]

Customers report problems to us because sometimes they don't create those indexes in Splunk, so better to say in the docs that the SC4S's default set of indexes must be created in Splunk

[jenworthington]

that makes so much more sense!

[mstopa-splunk]

right, but the call for action for the reader is that they must create those indexes or they will have problems, please compare with the original document

[mstopa-splunk]

can we say that if you use your own indexes in SC4S you also have to create them in Splunk?

[mstopa-splunk]

can we restore the alternative and change it to should? SC4S traffic should be sent to HEC endpoints configured directly on the indexers rather than an intermediate tier of heavy forwarders.

[mstopa-splunk]

Create a load balancing mechanism is a subsection of Configure your HTTP event collector

[jenworthington]

i removed it as a numbered step and made it a subtopic instead.

[mstopa-splunk]

splunk docs on load balancing don't apply to this case. Can we make it more in the style of:

In some situations, it is necessary to ensure balancing of the output from SC4S to Splunk indexers. Note that this should not be confused with load balancing between [sources and SC4S](../lb.md). 

what we mean here is that:

• if you have Splunk Cloud no worry, you're already covered and your SC4S output will be automatically load balanced to Splunk indexers
• if you have Splunk Enterprise and a single indexer, you obviously don't need an lb
• if you have Splunk Enterprise and mutliple indexers, you should load balance your SC4S output

[jenworthington]

thanks! Is there another topic we should link to in case they are now to the product and need some guidance for creating this type of load balancing?

[mstopa-splunk]

Unfortunately there's nothing to link at this point, we don't provide any further recommendations for lbs at this point

[jenworthington]

"In some configurations, you should ensure output balancing from SC4S to Splunk indexers. To do this, you create a load balancing mechanism between SC4S and Splunk indexers. See Set up load balancing for more information."

[mstopa-splunk]

Suggested change

	* Bse HEC exclusively for syslog.
	* Use HEC exclusively for syslog.

[mstopa-splunk]

@jenworthington ready for the next iteration

[mstopa-splunk]

Please check how mkdocs renders documentation: https://splunk.github.io/splunk-connect-for-syslog/2417/gettingstarted/getting-started-splunk-setup/

in this case we need a newline before the list else we get:

[jenworthington]

I added a new line before the steps. I don't see it rendering though, am i doing it wrong?

[mstopa-splunk]

Point 3 is not a separate point, it's rather a subsection of configuring HTTP event collectors. And Splunk Cloud users don't have to worry about it at all

[mstopa-splunk]

can you also add fireeye and gitops?

[mstopa-splunk]

@jenworthington can you please add these two indexes too?

[jenworthington]

done

[mstopa-splunk]

@jenworthington something went wrong and your changes to docs/gettingstarted/getting-started-splunk-setup.md from the last pass were not commited. I opened all previous comments again, please go through them and commit the final pass, I'm sorry for that situation