Skip to main content

Send events with S2S

You can send events to Imply Lumi using the Splunk® TCP endpoint. The TCP endpoint forwards events to Lumi using the Splunk-to-Splunk (S2S) protocol. This integration is compatible with any universal or heavy forwarders you use to send data to Splunk.

To learn how to use this integration, see the S2S tutorial. For other approaches to sending events, see Send events to Lumi.

This topic provides details on configuring event forwarding with Splunk-to-Splunk (S2S).

Prerequisites

To send events to Lumi using Splunk TCP, you need the following:

  • Access to Lumi with the Data manager role or higher. For information on roles and permissions, see Manage roles.

  • Lumi IAM key. See Create an IAM key for details.

    The IAM key authenticates connections to send events to Lumi. It also enriches incoming events with the system attributes for environment and team.

  • Splunk universal forwarder or heavy forwarder.

  • Port 9997 open for outbound TCP traffic on the machine forwarding the events.

Set event parsing rules

On the IAM key, you also assign event parsing settings to specify how to parse events.

For the S2S protocol, you need to provide properties for timestamp extraction. For example, define the timestamp format as %d/%b/%Y:%H:%M:%S. Visit the event parsing reference to see supported patterns and examples. Ensure that the Lumi settings match any server-side settings you have for Splunk.

Specify the S2S attributes when you create the IAM key. If you already have an existing key, follow the steps to update an IAM key to assign the attributes.

S2S on IAM keys

S2S attributes are not stored with the events. For information on IAM key attributes, see IAM keys reference.

Configure event forwarding

Before configuring event forwarding, access the S2S integration page in Lumi. Select your IAM key. The page populates with endpoint and IAM key information required to authenticate the connection.

  1. To forward events to Lumi, configure your universal or heavy forwarders to export to Lumi.

    Update or add the TCP output stanza in outputs.conf to include the following settings:

    [tcpout]
    defaultGroup = logs_lumi

    [tcpout:logs_lumi]
    server = LUMI_ENDPOINT
    token = IAM_KEY_TOKEN
    useSSL = true
    useClientSSLCompression = false

    You must include useSSL = true because the Lumi endpoint is SSL-enabled. Lumi doesn't support compression, so you must also include useClientSSLCompression = false.

    info

    If you add or override additional settings in this stanza, that may impact how your data gets transmitted. In that case, Lumi may not receive your data correctly.

  2. Replace the following placeholders with values provided by Lumi:

    • LUMI_ENDPOINT: Lumi endpoint.
      For example, splunk-tcp.us1.api.lumi.imply.io:9997.
    • IAM_KEY_TOKEN: IAM key token.
      For example, 229a2561-0000-0000-0000-bc433de16f89.

  3. Restart the forwarder for the changes to take effect.

Check Lumi for events

Once you configure event forwarding and send events, you can preview the incoming data in Lumi:

  1. From the Lumi navigation menu, click Integrations > S2S.

  2. In Select or create an IAM key, select your key.

  3. In Preview incoming data, view the events coming in to Lumi. Lumi automatically refreshes the preview pane to display the latest events.

  4. Click Explore events to see more events associated with the IAM key. The explore view populates the search bar with your IAM key ID and the receiver type. For example:

    #iamKeyId=229a2561-0000-0000-0000-bc433de16f89 #receiver=splunk.s2s

    Adjust the time filter to choose the range of data displayed.

Once events start flowing into Lumi, you can search them. See Search events with Lumi for details and information on supported search syntax.

Learn more

See the following topics for more information:

For information on the Splunk TCP output processor, refer to the following documentation: