Configuring Data Input & Index

In order for Splunk to receive data from NetObserv Flow you must first configure a Data Input & an Index.

There are 5 steps to set up a Data Input & Index

1. Create a Data Input: Settings -> Data Inputs -> HTTP Event Collector -> +Add New

2. Give it a Name, click Next

3. Source Type -> Select -> Select Source Type -> Log To Metrics -> log2metrics_keyvalue

   1. Select Allowed Indexes (pick the ElastiFlow Index you want to use, if one does not exist click "Create a new index")
   2. Verify these sections and click Review:

4. Click Submit

5. Copy this Token Value and use it in your ElastiFlow configuration here

#EF_OUTPUT_SPLUNK_HEC_ADDRESSES: 127.0.0.1:8088
#EF_OUTPUT_SPLUNK_HEC_BATCH_DEADLINE: 2000
#EF_OUTPUT_SPLUNK_HEC_BATCH_MAX_BYTES: 8388608
#EF_OUTPUT_SPLUNK_HEC_CIM_ENABLE: "false"
#EF_OUTPUT_SPLUNK_HEC_DROP_FIELDS: ""
#EF_OUTPUT_SPLUNK_HEC_ENABLE: "false"
#EF_OUTPUT_SPLUNK_HEC_TLS_CA_CERT_FILEPATH: ""
#EF_OUTPUT_SPLUNK_HEC_TLS_ENABLE: "true"
#EF_OUTPUT_SPLUNK_HEC_TLS_SKIP_VERIFICATION: "false"
#EF_OUTPUT_SPLUNK_HEC_TOKEN: ""