Chapter 1. Installing and configuring the Red Hat Insights application for Splunk

Procedure

1. Install the Red Hat Insights Application for Splunk:

   1. Log in to Splunk.
   2. On the home page, search for Red Hat Insights in the filter box and select it.
   3. Click Install. When the installation process completes, the message Install successful displays.
   4. On the home page, click the Settings menu (gear icon). The Apps page opens.
   5. Enter Red Hat Insights in the filter box and then click the magnifying glass. The application appears in the search results.
   6. On the home page, click Find more apps under the Apps heading on the left of the screen. The Browse More Apps page opens.
   7. Enter Red Hat Insights in the filter box and then press the Enter key. Red Hat Insights appears in the search results.
   8. Select Red Hat Insights.
   9. Click Install.
   10. Confirm or enter your Splunk username and password and then click Agree and Install. When the installation process completes, the Complete dialog box opens.

2. Set up the Red Hat Insights Application for Splunk:

   1. In the Complete dialog box, click Open the App. The App configuration page opens.

   2. Click Continue to app setup page. The Set up integration with Red Hat Insights page opens. The page includes the HTTP Event Collector (HEC) name and default index fields.

      

   3. Under Create Red Hat Default Index, click Settings > Index.The Indexes page opens in a new tab.
   4. On the Indexes page, click New Index.
   5. Type a name for the index in the Name field (for example, redhatinsights).
   6. Enter values in the Max raw data size and Searchable retention (days) field.
   7. Click Save. The index you created appears in the Indexes list. It is enabled by default.
   8. On the first Splunk screen, on the Set up integration with Red Hat page, type the name for the HEC in the HEC name field (for example, redhatinsights).
   9. Type the name of the index you just created in the Default index field (for example, redhatinsights).
   10. Click Next.
   11. Click Review and then click Submit. The HEC name that you created appears in the HEC Name field.

   12. Click Next to create the HEC URL and HEC Token.

       

3. Configure Splunk integration in Insights:

   1. Click Copy to copy the HEC URL value in Splunk Enterprise.

   2. Click Next: Configure Splunk integration in Insights. The Hybrid Cloud Console opens in a new browser tab.

      Note

      This button is disabled until you click the Copy button for either the HEC URL or HEC token.

   3. In the Hybrid Cloud Console, navigate to Settings > Integrations.

1. Paste the HEC URL value into the Splunk HEC URL field.

   Note

   If the new tab for the console does not open, disable the popup blocker in your browser.

2. Add the port, if needed. The default port for Splunk Cloud Platform is 443. The default port for Splunk Enterprise and Splunk Cloud free trial is 8088.

   

3. Optional: If you are using Splunk Cloud, edit the HEC URL that you pasted into the Splunk HEC URL field on the Integrations page to match the Splunk Cloud format:

   • Use the following format for Splunk Cloud Platform on all clouds except Google Cloud Platform (GCP):

     <protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>

   • Use the following format for Splunk Cloud Platform on Google Cloud Platform (GCP):

     <protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>

     Replace the following placeholders:

   • protocol: Either http or https.
   • host: The name of the Splunk Cloud Platform instance that runs the HEC, followed by the domain .splunkcloud.com.
   • port: The HEC port number (443 by default on Splunk Cloud Platform instances).

   • endpoint: The HEC endpoint that you want to use. In many cases, you use the /services/collector/event endpoint for JSON-formatted events, or the services/collector/raw endpoint for raw events.

     Examples:

   • Splunk Cloud Platform on GCP using JSON:

     https://http-inputs.myhost.splunkcloud.com:443/services/collector/event

   • Splunk Cloud free trial on AWS using raw events:

     https://http-inputs-otherhost.splunkcloud.com:443/services/collector/raw

     1. Complete the setup process:
4. Copy the HEC Token value in Splunk and paste it into the Splunk HEC Token field in on the Hybrid Cloud Console Integrations page.

5. In the Hybrid Cloud Console, click Run configuration. The Hybrid Cloud Console sets up the integration, creates the behavior group, and associates Hybrid Cloud Console events to the behavior group. The status message section on the right side of the page shows the status of each of these actions.

   

6. When the setup completes successfully, click Next: Review. The application returns the message Splunk integration in Insights completed.

   

7. Click Go back to the Splunk application. This redirects you to the Set up integration with Red Hat screen in Splunk.

8. Click Finish set up to complete the setup in Splunk.

   

9. Click Go to dashboard to be redirected to your Splunk dashboard.

   

   Note

   If the integration configuration fails during the Insights setup process, contact Red Hat support.

   1. To view a list of Hybrid Cloud Console events on the Splunk dashboard, click the Events tab. Each event is hyperlinked to the Hybrid Cloud Console.

      

Procedure

1. From the Splunk home page, navigate to Settings.

2. Select Data Inputs, and then select HTTP Event Collector. The HTTP Event Collector page shows the HEC, its Token value, the corresponding index that you selected during setup, and the status of the HEC.

   

3. Click Global Settings in the upper right corner of the page. The Edit Global Settings dialog box displays.

   

4. Select Enabled. This enables the HEC token that was automatically created during the setup process.

   Note

   The HEC token uses a default HTTP port number of 8088. If you are using a different port (such as port 443 for Splunk Cloud), you must update your Hybrid Cloud Console Splunk Integration to match.

Procedure

1. Click Settings > Identity & Access Management.
2. Under Identity & Access Management, expand User Access if necessary, and select Groups.
3. Click Create group. The Name and description page appears.
4. Enter a name for the group (for example, splunknotifgroup), enter a description, and click Next. The Add roles page opens.
5. To add the Notifications administrator role, enter notif in the search box.
6. Select Notifications administrator from the search results list, and click Next. The Add Members page opens.
7. Select the users to add to this group. You can use the search box to search for specific names.
8. Click Next. The Review Details page opens.
9. Review the information, and click Submit to create the group.
10. Click Exit. The Groups page opens.

Verification

1. Enter the new group name in the search box.
2. Click the group name. The page for the group opens.
3. On the Roles tab, verify that the group has the Notifications administrator role.
4. Click the Members tab and verify that the group includes the correct members.

Procedure

1. In the Hybrid Cloud Console, navigate to Settings > Integrations.
2. Select the Reporting & Automation tab.
3. Click Add integration.
4. Select Splunk as the integration type, and click Next.
5. Enter a name for your new integration in the Integration name field (for example, redhat_splunk).

6. In the Endpoint URL field, add your Splunk HEC endpoint URL:

   1. For Splunk Enterprise, Splunk uses port 8088 by default. For example: https://<splunk-endpoint>:8088

   2. For Splunk Cloud, Splunk uses port 443. For more information about Splunk Cloud on AWS or GCP, see Send data to HTTP Event Collector.

      Note

      The service automatically adds <endpoint> (the http path). You do not need to include it in the form input for the Endpoint URL.

      The following examples show endpoint URLs with the correct port numbers for Splunk platforms.

      • On premise (Splunk Enterprise): https://splunk.company.com:8088
      • Splunk Cloud (on AWS): https://http-inputs-mycompany.splunkcloud.com:443
      • Splunk Cloud (on GCP): https://http-inputs.mycompany.splunkcloud.com:443
7. In the Secret token field, add the Splunk HEC token value.
8. Click Next.
9. Review the integration details and click Submit.