Dell PowerStore 3200T Using the Common Event Enabler 8.x on Linux Platforms - Page 15

Managing Indexing, Set up access for Splunk

Get Dell PowerStore 3200T PDF manuals and user guides View all Dell PowerStore 3200T manuals
Add to My Manuals
Save this manual to your list of manuals

Page 15 highlights

7 Managing Indexing The Index sub-facility of CEPA is a mechanism for delivering bulk events in asynchronous mode to partner applications. The delivery cadence is based on either a time period or a number of events. You can use this Index facility to deliver bulk events to Splunk Enterprise or Splunk Cloud. Topics: • Set up access for Splunk Set up access for Splunk About this task Use the Index facility to deliver events to Splunk Enterprise or Splunk Cloud by performing the following steps. You must define Index entries in the configuration file. Steps 1. From the /opt/CEEpack directory, open the emc_cee_config.xml file. 2. In the section, do the following: a. In the section, do the following: i. Set Enabled to 1 to enable Index. ii. Set EndPoint and specify the host and port, or hosts and ports, of the instances where the Splunk consumer application is installed, in the following format: SplunkHEC@https://: where is the URI, IP address, or FQDN of Splunk Enterprise or Splunk Cloud. For example, SplunkHEC@https://10.3.4.20:8088. When setting multiple entries, you must use a ; (semicolon) to separate the individual entries. For example, SplunkHEC@https://10.3.4.20:8088;SplunkHEC@https://10.3.4.40:8088. iii. (Optional) FeedInterval specifies how often, in seconds, information is sent from the Index application to the Splunk consumer application. The default is 60 seconds. The range is from 60 seconds to 600 seconds. Update this value only if necessary. iv. (Optional) MaxEventsPerFeed specifies how many events are accumulated before information is sent from the Index application to the Splunk consumer application. The default is 100 events. The range is from 10 events to 10,000 events. Update this value only if necessary. b. In the subsection, do the following: i. Specify Index, which is a user-defined name for the index being used on Splunk Enterprise or Splunk Cloud. Only one index value is allowed. ii. Set Host server to the name of the URI or IP address of Splunk Enterprise or Splunk Cloud. iii. Set token by copying the token value that is defined in the HTTP Event Collector in Splunk Enterprise or Splunk Cloud to here. NOTE: To use multiple instances of the Splunk consumer application, you must create multiple values - one for each location. 3. Save the configuration file, and then close it. Results The FeedInterval and MaxEventsPerFeed delivery cadences are used simultaneously. The Index application sends a list of events to the Splunk consumer application, not the actual content of files. Managing Indexing 15

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
Managing Indexing
The Index sub-facility of CEPA is a mechanism for delivering bulk events in asynchronous mode to partner applications. The
delivery cadence is based on either a time period or a number of events. You can use this Index facility to deliver bulk events to
Splunk Enterprise or Splunk Cloud.
Topics:
Set up access for Splunk
Set up access for Splunk
About this task
Use the Index facility to deliver events to Splunk Enterprise or Splunk Cloud by performing the following steps.
You must define Index entries in the configuration file.
Steps
1.
From the
/opt/CEEpack
directory, open the
emc_cee_config.xml
file.
2.
In the <Index> section, do the following:
a.
In the <Configuration> section, do the following:
i.
Set
Enabled
to
1
to enable Index.
ii.
Set
EndPoint
and specify the host and port, or hosts and ports, of the instances where the Splunk consumer
application is installed, in the following format:
SplunkHEC@https://<host>:<port>
where
<host>
is the URI, IP address, or FQDN of Splunk Enterprise or Splunk Cloud. For example,
.
When setting multiple entries, you must use a ; (semicolon) to separate the individual entries. For example,
.
iii.
(Optional)
FeedInterval
specifies how often, in seconds, information is sent from the Index application to the Splunk
consumer application. The default is 60 seconds. The range is from 60 seconds to 600 seconds. Update this value
only if necessary.
iv.
(Optional)
MaxEventsPerFeed
specifies how many events are accumulated before information is sent from the
Index application to the Splunk consumer application. The default is 100 events. The range is from 10 events to 10,000
events. Update this value only if necessary.
b.
In the <SplunkHEC> subsection, do the following:
i.
Specify
Index
, which is a user-defined name for the index being used on Splunk Enterprise or Splunk Cloud. Only one
index value is allowed.
ii.
Set
Host server
to the name of the URI or IP address of Splunk Enterprise or Splunk Cloud.
iii.
Set
token
by copying the token value that is defined in the HTTP Event Collector in Splunk Enterprise or Splunk
Cloud to here.
NOTE:
To use multiple instances of the Splunk consumer application, you must create multiple
<Host
server=""token="">
values - one for each location.
3.
Save the configuration file, and then close it.
Results
The
FeedInterval
and
MaxEventsPerFeed
delivery cadences are used simultaneously.
The Index application sends a list of events to the Splunk consumer application, not the actual content of files.
7
Managing Indexing
15