docs: update getting-started-splunk-setup.md #2417
Conversation
I can't quite figure out how the customer is supposed to use this. It reads as steps but they don't seem like actual guided tasks. Is it more of a best practices topic or an overview? Or if it is numbered steps/process, then maybe we add links to each step? I'd love to get your thoughts and maybe we can discuss in our 1:1
|
hi @jenworthington sure, that's what this section is about: Topic: how to setup your Splunk instance to work with SC4S Steps:
These are the two things that must be done to ensure SC4S-Splunk connection. Ad 1 Indexes Ad 2 HTTP event collector
|
mstopa-splunk
changed the title
|
partially solves #2358 |
|
@jenworthington can you work on the new file |
|
@rjha-splunk I left the file that you saw for reference for Jen, but please check |
More edits, added some new links to the Splunk Enterprise docs
|
Thanks for the new suggestions for structure, it was really helpful. I think I've captured all of the requested changes, take a look and let me know, happy to work on this one some more as needed. |
|
|
||
| ## Step 1: Create indexes within Splunk | ||
|
|
||
| SC4S maps each sourcetype to the following indexes by default: |
There was a problem hiding this comment.
Customers report problems to us because sometimes they don't create those indexes in Splunk, so better to say in the docs that the SC4S's default set of indexes must be created in Splunk
There was a problem hiding this comment.
that makes so much more sense!
There was a problem hiding this comment.
right, but the call for action for the reader is that they must create those indexes or they will have problems, please compare with the original document
There was a problem hiding this comment.
can we make it explicit:
| SC4S maps each sourcetype to the following indexes by default: | |
| SC4S maps each sourcetype to the following indexes by default. Make sure to create them in Splunk. |
| * SC4S traffic must be sent to HEC endpoints that are configured directly on the indexers. | ||
|
|
||
| ### Step 2: Create a load balancing mechanism | ||
| Create a load balancing mechanism between SC4S and Splunk indexers. See [Set up load balancing](https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Setuploadbalancingd) for more information. Note that this should not be confused with load balancing between [sources and SC4S](../lb.md). |
There was a problem hiding this comment.
splunk docs on load balancing don't apply to this case. Can we make it more in the style of:
In some situations, it is necessary to ensure balancing of the output from SC4S to Splunk indexers. Note that this should not be confused with load balancing between [sources and SC4S](../lb.md).
what we mean here is that:
- if you have Splunk Cloud no worry, you're already covered and your SC4S output will be automatically load balanced to Splunk indexers
- if you have Splunk Enterprise and a single indexer, you obviously don't need an lb
- if you have Splunk Enterprise and mutliple indexers, you should load balance your SC4S output
There was a problem hiding this comment.
thanks! Is there another topic we should link to in case they are now to the product and need some guidance for creating this type of load balancing?
There was a problem hiding this comment.
Unfortunately there's nothing to link at this point, we don't provide any further recommendations for lbs at this point
There was a problem hiding this comment.
"In some configurations, you should ensure output balancing from SC4S to Splunk indexers. To do this, you create a load balancing mechanism between SC4S and Splunk indexers. See Set up load balancing for more information."
There was a problem hiding this comment.
@jenworthington sounds great but we cannot use this link because it's for heavy forwarders, not sc4s:
In some configurations, you should ensure output balancing from SC4S to Splunk indexers. To do this, you create a load balancing mechanism between SC4S and Splunk indexers.
|
@jenworthington ready for the next iteration |
| - Refer to [Splunk Cloud](http://docs.splunk.com/Documentation/Splunk/7.3.1/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_managed_Splunk_Cloud) | ||
| or [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) for specific HEC configuration instructions based on your | ||
| To set up syslog processing with SC4S, perform the following tasks in your Splunk instance: | ||
| 1. Create indexes within Splunk. |
There was a problem hiding this comment.
Please check how mkdocs renders documentation: https://splunk.github.io/splunk-connect-for-syslog/2417/gettingstarted/getting-started-splunk-setup/
in this case we need a newline before the list else we get:
There was a problem hiding this comment.
I added a new line before the steps. I don't see it rendering though, am i doing it wrong?
There was a problem hiding this comment.
rendering works great now:
https://splunk.github.io/splunk-connect-for-syslog/2417/gettingstarted/getting-started-splunk-setup/
|
@jenworthington something went wrong and your changes to |
I made these changes a while back but maybe i did something weird with the branching? So I redid them and hopefully second time is the charm. ;)
| @@ -1,9 +1,8 @@ | |||
| # Splunk setup | |||
| To ensure proper integration for SC4S and Splunk, perform the following tasks in your Splunk instance: | |||
|
|
|||
| 1. Create indexes within Splunk. | |||
| 1. Create copies of your SC4S indexes in Splunk. | |||
There was a problem hiding this comment.
originally Splunk has just a few indexes; SC4S requires way more to be there, so the user needs to create them, not sure what copies mean in this context
| @@ -30,7 +31,7 @@ SC4S maps each sourcetype to the following indexes by default: | |||
| * `print` | |||
| * `_metrics` (Optional opt-in for SC4S operational metrics; ensure this is created as a metrics index) | |||
|
|
|||
| You can also you create your own indexes in Splunk. See [Create custom indexes]( https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Setupmultipleindexes) for more information. | |||
| If you create custom indexes in SC4S you must also create them in Splunk. See [Create custom indexes]( https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Setupmultipleindexes) for more information. | |||
There was a problem hiding this comment.
We don't create indexes in SC4S so maybe:
| If you create custom indexes in SC4S you must also create them in Splunk. See [Create custom indexes]( https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Setupmultipleindexes) for more information. | |
| If you use custom indexes in SC4S you must also create them in Splunk. See [Create custom indexes]( https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Setupmultipleindexes) for more information. |
|
|
||
| ## Step 1: Create indexes within Splunk | ||
|
|
||
| SC4S maps each sourcetype to the following indexes by default: |
There was a problem hiding this comment.
can we make it explicit:
| SC4S maps each sourcetype to the following indexes by default: | |
| SC4S maps each sourcetype to the following indexes by default. Make sure to create them in Splunk. |
| Splunk type. | ||
|
|
||
| Keep in mind the following best practices specific to HEC for SC4S: | ||
| * Make sure that the HEC token created for SC4S has permissions to add events to `main`, `_metrics`, and all other event destination indexes. |
There was a problem hiding this comment.
_metrics are not events, so maybe:
| * Make sure that the HEC token created for SC4S has permissions to add events to `main`, `_metrics`, and all other event destination indexes. | |
| * Make sure that the HEC token created for SC4S has permissions to write to `_metrics` and all event destination indexes. |
|
@jenworthington ready for the final pass |
I can't quite figure out how the customer is supposed to use this. It reads as steps but they don't seem like actual guided tasks. Is it more of a best practices topic or an overview? Or if it is numbered steps/process, then maybe we add links to each step? I'd love to get your thoughts and maybe we can discuss in our 1:1