Splunk Cloud

To add a Splunk destination to Axoflow, complete the following steps.

Prerequisites

  1. Enable the HTTP Event Collector (HEC) on your Splunk deployment if needed. On Splunk Cloud Platform deployments, HEC is enabled by default.

  2. Create a token for Axoflow to use in the destination. When creating the token, use the syslog source type.

    For details, see Set up and use HTTP Event Collector in Splunk Web.

  3. If you’re using AxoRouter, create the indexes where Axoflow sends the log data. Which index is needed depends on the sources you have, but create at least the following event indices: axoflow, infraops, netops, netfw, osnix (for unclassified messages). Check your sources in the Data sources section for a detailed lists on which indices their data is sent.

Steps

  1. Create a new destination.

    1. Open the Axoflow Console.
    2. Select Topology.
    3. Select + > Destination.
  2. Configure the destination.

    1. Select Splunk.

    2. Enter a name for the destination.

      Configure the Splunk destination

    3. Enter your Splunk URL into the URL field, for example, https://<your-splunk-tenant-id>.splunkcloud.com:8088 for Splunk Cloud Platform free trials, or https://<your-splunk-tenant-id>.splunkcloud.com for Splunk Cloud Platform instances.

    4. Enter the token you’ve created into the Token field.

    5. Disable the Verify server certificate option unless your deployment has a valid, non-self-signed certificate. Free Splunk Cloud accounts have self-signed certificates.

    6. Select Create.

Next step

Create a flow to connect the new destination to an AxoRouter instance.
  1. Select Flows.

  2. Select Create New Flow.

  3. Enter a name for the flow, for example, my-test-flow.

    Create a flow

  4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

  5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

  6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

    1. Add a Reduce step to automatically remove redundant and empty fields from your data.
    2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet Fortigate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
    3. Save the processing steps.

    Example processing steps

  7. Select Create.

  8. The new flow appears in the Flows list.

    The new flow