Hello, im setting up Splunk HEC Integration in dev env. Splunk team provided url https://http-inputs-spglobal.splunkcloud.com:443 (is that a correct format?) index and token. What should i set as a Source and Host? Also from the Test menu the only logs i was able to see in Splunk when i hit"Send Error Log", but i noticed that they are not stored, i was able to see them for 5 min and then could not see in the Splunk
@olga g : As long as you're able to see the events in Splunk, it indicates that the configuration is correct. (source is optional . Host is http-inputs-spglobal.splunkcloud.com:443)
I created a trial account with Splunk, but I was unable to test it within OutSystems because the SSL certificate provided for these accounts is self-signed. As a result, OutSystems is unable to establish a secure connection and returns the error: "Could not establish trust relationship for the SSL/TLS secure channel."
Even when using curl, the request only succeeds if SSL verification is explicitly bypassed using the -k flag: curl -k https://prd-p-4tadm.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk MYTOKEN" -d '{"event": "hello world"}'
I can see a similar issue wrt to SSL in the support section of this component.
I do not see any logs in Splunk except Error Log, when i click on "Send single event" i do not see anything in Splunk, when i do Test Batch - Send multiple events i do not see anything in Splunk. What is the right configuration: 1) i want errors to be send to splunk 2) i want to see the general logs. But i need the right Source to identify for those. Usually source is the path "/var/logs" in the app. Where Outsystems stores those logs? I can see the option to set 2 different Sources by clicking Add. Or what kind of logs by default will be send to Splunk?
@olga g : I think there is some confusion regarding this component. This component exposes three methods from Logic module - AsyncSendToSplunk, SendToSplunk & SendToSplunkBatch using which you can send data to Splunk. This component do not sent any data automatically from OutSystems to Splunk.
OutSystems stores error in PlatformLogs -> Log_Error entity. You can read this and send to Splunk.
btw you many not require this component at all to send the data to Splunk. You can add the Splunk REST API in your application and keep the setting in Site Properties.
It is the confusion, we thought that Splunk HEC Integration will help us to send logs to Splunk where we can store them. What is the main purpose of Splunk HEC Integration then? You are saying that it is sending logs only if i manually will trigger the Test button?
We are looking for solution to send Error_logs from serviceCenter and Audit_logs from Lifetime to Splunk where we can configure the rule for how long we want to store them
What you could possibly do is create a timer in your application and push the logs to Splunk periodically using the methods exposed in this component.
There is another possibility - Log Streaming. Please have a look at
Looks like Log-Streaming is for Cloud only, we have a self-managed infrastructure. Do you have an idea what we can use for that?
One option I can think of is Splunk DB Connect (https://splunkbase.splunk.com/app/2686) , which can read directly from the OutSystems log database and push the data to Splunk.