Utiliza la fuente Splunk Heavy y Universal Forwards (TCP) de Observability Pipelines para recibir logs enviados a tus reenviadores de Splunk. Selecciona y configura esta fuente cuando configures un pipeline.

Requisitos previos

To use Observability Pipelines’ Splunk TCP source, you have a Splunk Enterprise or Cloud Instance alongside either a Splunk Universal Forwarder or a Splunk Heavy Forwarder routing data to your Splunk instance. You also have the following information available:

• The bind address that your Observability Pipelines Worker will listen on to receive logs from your applications. For example, 0.0.0.0:8088. Later on, you configure your applications to send logs to this address.
• The appropriate TLS certificates and the password you used to create your private key if your forwarders are globally configured to enable SSL.

See Deploy a Universal Forwarder or Deploy a Heavy Forwarder for more information on Splunk forwarders.

Configurar la fuente en la interfaz de usuario del pipeline

Selecciona y configura esta fuente cuando configures un pipeline. La siguiente información se refiere a la configuración de la fuente en la interfaz de usuario del pipeline.

Optionally, click the toggle to enable TLS. If you enable TLS, the following certificate and key files are required:

• Server Certificate Path: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
• CA Certificate Path: The path to the certificate file that is your Certificate Authority (CA) Root File in either DER or PEM (X.509).
• Private Key Path: The path to the .key private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.

Conecta Splunk Forwarder al worker de Observability Pipelines

Para reenviar tus logs al worker, añade la siguiente configuración a tu forwarder de Splunk Heavy/Universal etc/system/local/outputs.conf y sustituye <OPW_HOST> por la IP/URL del host (o balanceador de carga) asociado con el worker de Observability Pipelines:

[tcpout]
compressed=false
sendCookedData=false
defaultGroup=opw

[tcpout:opw]
server=<OPW_HOST>:8099

<OPW_HOST> es la IP/URL del host (o balanceador de carga) asociado con el worker de Observability Pipelines. Para instalaciones de CloudFormation, la salida LoadBalancerDNS de CloudFormation tiene la URL correcta a utilizar. Para instalaciones de Kubernetes, puede utilizarse el registro DNS interno del servicio del worker de Observability Pipelines. Por ejemplo: opw-observability-pipelines-worker.default.svc.cluster.local.

En este punto, tus logs deberían dirigirse al worker, ser procesados por el pipeline y ser enviados al destino configurado.