Skip to main content

Send events with Splunk S2S

You can send events to Imply Lumi using the Splunk® TCP endpoint. The TCP endpoint forwards events to Imply Lumi using the Splunk-to-Splunk (S2S) protocol. This integration is compatible with any universal or heavy forwarders you use to send data to Splunk.

For other approaches to sending events, see Send events to Imply Lumi.

This topic provides details on configuring event forwarding with Splunk S2S.

Prerequisites

To send events to Imply Lumi using Splunk TCP, you need the following:

  • Port 9997 available as an outbound TCP port.

  • Access to Imply Lumi with the Data manager or higher role. For information on roles and permissions, see Manage roles.

  • An Imply Lumi IAM key. See Create an IAM key for details.

    When sending events with Splunk S2S, the IAM key authenticates connections to send events to Imply Lumi. If you assign any global attributes to the key, Imply Lumi enriches incoming events with those values.

Set event parsing rules

Assign event parsing settings to the IAM key to specify how Imply Lumi reads incoming events. With the S2S protocol, you need to provide properties for timestamp extraction. For example, you can define the timestamp format as %Y-%m-%d %H:%M:%S.

Specify the parsing attributes when you create the IAM key. If you already have an existing key, follow the steps to update an IAM key to set its S2S attributes.

S2S on IAM keys

Ensure that the Imply Lumi settings match any server-side settings you have for Splunk. Visit the event parsing reference to see supported patterns and examples.

For reference on IAM key attributes, see IAM keys.

Configure event forwarding

Before configuring event forwarding, access the Splunk S2S integration page in Imply Lumi. Select your IAM key. The page populates with endpoint and IAM key information required to authenticate the connection.

  1. To forward events to Imply Lumi, configure your universal or heavy forwarders to export to Imply Lumi.

    Update or add the TCP output stanza in outputs.conf to include the following settings:

    [tcpout]
    defaultGroup = logs_lumi

    [tcpout:logs_lumi]
    server = LUMI_ENDPOINT
    token = IAM_KEY_TOKEN
    useSSL = true
    useClientSSLCompression = false

    You must include useSSL = true because the Imply Lumi endpoint is SSL-enabled. Imply Lumi doesn't support compression, so you must also include useClientSSLCompression = false.

    info

    If you add or override additional settings in this stanza, that may impact how your data gets transmitted. In that case, Imply Lumi may not receive your data correctly.

  2. Replace the following values provided by Imply Lumi:

    • LUMI_ENDPOINT: Imply Lumi endpoint.
      For example, splunk-tcp.us1.api.lumi.imply.io:9997.
    • IAM_KEY_TOKEN: IAM key token.
      For example, 229a2561-0000-0000-0000-bc433de16f89.

  3. Restart the forwarder for the changes to take effect.

Check Imply Lumi for events

Once you configure event forwarding and send events, you can preview the incoming data in Imply Lumi:

  1. Click Integrations in the navigation menu.

  2. Click S2S.

  3. Click View instructions.

  4. In Select or create an IAM key, select your key.

  5. In Preview incoming data, you'll see the events coming in to Imply Lumi. Imply Lumi automatically refreshes the preview pane to display the latest events.

  6. Click Go to explore view to see more events associated with the IAM key. The Explore view populates the search bar with your IAM key ID and the receiver type. For example:

    #iamKeyId=3e99daf3... #receiver=splunk.s2s

Once events start flowing into Imply Lumi, you can search them. See Search for events with Imply Lumi for details and information on supported search syntax.

Learn more

See the following topics for more information:

For information on the Splunk TCP output processor, refer to the following documentation: