Tech Insights
Arosha Piyadigama
December 10, 2021

How to send logs to a particular Splunk Index using Fluent Bit

How to send logs to a particular Splunk Index using Fluent Bit

Using logs for applications is a good way to identify errors, threats, profiling and many more critical facts. That is why developers prefer Fluent Bit. If we can analyse,query and visualise data in a meaningful manner, then the results will be more productive. That’s where Splunk comes in. In this post, I concentrate on how to have these two magnificent tools link in order to get the optimum outcome.

First I’ll explain the environment that this setup was tested on.

·        Splunk Enterprise:Version 8.0.1

·        Fluent Bit:Version 1.6.10

·        Fluent Bitrunning OS version: Ubuntu 20.04.1 LTS

Splunk is a software forsearching, monitoring, and analysing machine-generated big data via a Web-styleinterface. First we will take a look at the configuration that has to be done in Splunk. I hope you have a basic understanding of Splunk-related terminologies that are used here.

Let’s start withcreating an Index in Splunk.

·        Log in toyour Splunk Enterprise application and click on the Settings menu item in the upper right corner where you can find the Indexesoption.

·        Click on theNew Index button at the upper right corner, where you get a popup window like below.

·        Provide a name to your Index and keep other fields as it is if your are new to Splunk. Otherwise you can customise those values according to your need but that part is irrelevant to the purpose of this post.

·        After saving the above pop up, we need to create an HEC (HTTP Event Collector)token.

·        To navigate to that window, click on Settings like earlier and then select Datainputs.

·        Click on the New Token button in the upper right hand corner where you will get four steps to fill data.

First - Provide a name

Second: Select the created index

Third: Review settings

Fourth: Complete and copy the token value

Now we are good to go ahead with Fluent Bit related changes. It’s all about the configuration file.

   Name    dummy

   Name    nest
   Match   *
   Operation   nest
   Wildcard    *
  Nest_under  event

   Name      modify
   Match     *
   Add indexflb_index

   Name        splunk
   Match       *
   Host        <your splunk server ip goes here>
   Port        8088
   TLS         Off
  TLS.Verify  Off
   Splunk_Token<your splunk HEC token goes here>
  Splunk_Send_Raw On

I am not going todescribe the configuration parameter included here, because it has been clearly explained in the Fluent Bit documentation.

Once you run the Fluent Bit configuration file, you will be able to query the index from Splunk application.

Results will look something like below.

Done! It is quite straightforward and easy as that. Hope you will also find it easy too!