Send events with S2S

You can forward events from Splunk® universal or heavy forwarders to Imply Lumi using the Splunk-to-Splunk (S2S) data transmission protocol.

Lumi supports two S2S integrations, each corresponding to a Splunk output processor:

• tcpout: Forwards data using the S2S protocol over TCP
• httpout: Encapsulates the S2S payload and forwards it over HTTP

For information on the Splunk processors and their use cases, see Intermediate data routing using universal and heavy forwarders.

This topic provides details on event forwarding configuration using Splunk-to-Splunk (S2S). For an end-to-end tutorial, see How to send events with S2S.

Prerequisites

To send events to Lumi using S2S, you need the following:

• Access to Lumi with the Data manager role or higher. For information on roles and permissions, see Manage roles.

• Lumi IAM key. See Create an IAM key for details.

  The IAM key authenticates connections to send events to Lumi. It also enriches incoming events with the system attributes for environment and team.

• Splunk universal forwarder or heavy forwarder.

• For the tcpout integration: Port 9997 open for outbound TCP traffic on the machine forwarding the events.

• For the httpout integration: Port 443 open for outbound TCP traffic on the machine forwarding the events.

Set event parsing rules

On the IAM key, you assign S2S attributes to specify how to parse events. You can specify the attributes when you create the key or you can update an existing IAM key to add the integration and assign the attributes.

S2S attributes are not stored with the events. For information on IAM key attributes, see IAM keys reference.

For example, you can define the format for timestamp extraction using the pattern %d/%b/%Y:%H:%M:%S. Visit the event parsing reference to see supported patterns and examples. Ensure that the Lumi settings match any server-side settings you have for Splunk.

Configure event forwarding

This section describes how to forward events to Lumi using S2S. It involves updating your universal or heavy forwarder outputs.conf file. The process assumes you already have your input source and any parsing or transforms configured in Splunk.

To configure event forwarding, complete the following steps:

1. From the Lumi navigation menu, click Integrations then tcpout or httpout.
2. Select or create an IAM key.
3. Assign or confirm the S2S attributes on the key.
4. Copy the tcpout or httpout stanza into your forwarder's outputs.conf file.
   See the following sections for configuration information.
5. Restart the forwarder for the changes to take effect.
   If you manage a distributed deployment, remember to deploy the new configuration to all the forwarders. Refer to the Splunk documentation for details.

info

To enable an S2S integration from the Keys page, select a key and click + Add integration > S2S. To use httpout, you need to add the integrations for both S2S and Splunk HEC.

The following sections show the configuration for each S2S integration.

S2S over TCP

Update or add the TCP output stanza in outputs.conf to include the following settings:

[tcpout]
defaultGroup = logs_lumi

[tcpout:logs_lumi]
server = LUMI_ENDPOINT
token = IAM_KEY_TOKEN
useSSL = true
useClientSSLCompression = false

Replace the variables with your own values:

• LUMI_ENDPOINT: Lumi endpoint.
  For example, splunk-tcp.us1.api.lumi.imply.io:9997
• IAM_KEY_TOKEN: IAM key token.
  For example, 229a2561-0000-0000-0000-bc433de16f89

You must include useSSL = true because the Lumi endpoint is SSL-enabled. Lumi doesn't support compression, so you must also include useClientSSLCompression = false.

info

If you add or override additional settings in this stanza, that may impact how your data gets transmitted. In that case, Lumi may not receive your data correctly.

S2S over HTTP

Update or add the HTTP output stanza in outputs.conf to include the following settings:

[httpout]
httpEventCollectorToken = IAM_KEY_TOKEN
uri = LUMI_ENDPOINT

Replace the variables with your own values:

• LUMI_ENDPOINT: Lumi endpoint.
  For example, https://splunk-hec.us1.api.lumi.imply.io
• IAM_KEY_TOKEN: IAM key token.
  For example, 229a2561-0000-0000-0000-bc433de16f89

Check Lumi for events

Once you configure event forwarding and send events, you can preview the incoming data in Lumi:

1. From the Lumi navigation menu, click Integrations, then select tcpout or httpout.

2. In Select or create an IAM key, select your key.

3. In Preview incoming data, view the events coming in to Lumi. Lumi automatically refreshes the preview pane to display the latest events.

4. Click Explore events to see more events associated with the IAM key. The explore view populates the search bar with your IAM key ID and the receiver type. For example:

   #iamKeyId=229a2561-0000-0000-0000-bc433de16f89 #receiver=splunk.s2s

   Adjust the time filter to choose the range of data displayed.

Once events start flowing into Lumi, you can search them. See Search events with Lumi for details and information on supported search syntax.

Learn more

See the following topics for more information:

• How to send events with S2S for a tutorial on sending events over S2S.
• Send events to Lumi for other options to send events.
• Event parsing for S2S for supported patterns to parse events.
• IAM keys reference for details on IAM keys.

For information on the Splunk TCP output processor, refer to the following documentation:

• Configure forwarding with outputs.conf.
• TCP output stanza.