Splunk Forwarder

What is an Event Collector?

An event collector is an Octoblu forwarder that sends its messages to Splunk as events. Your event collector will collect all messages from specified devices and store them as events in your Splunk using an event token generated by Splunk. You can then send messages directly to the node in the Octoblu designer or more effectively using the forwarder.octoblu.com app.

What is a forwarder?

A forwarder is a device in Octoblu that will send messages from specified devices to a datastore, in this case, Splunk. You choose what devices are streaming their messages to each forwarder and where they point. Go ahead and create your own forwarder - it's easy!

In Meshblu terms, you'll log into your Octoblu account, select an Event Collector Plugin that forwards messages to an Event Collector in Splunk and tell it to subscribe to devices managed by your Octoblu account.

Creating an Event Collector in Splunk

  1. Log into your Splunk Instance
  2. Settings -> Data Inputs -> HTTP Event Collector
  3. Click New Token in the top right.
  4. Follow along to create a new event collector.
  5. Copy and save the Event Collector Token for use in the next step.

Docs on the HTTP Event collector can be found here:

Splunk Docs: Use the HTTP Event Collector

Set-up Gateblu

You'll need a Gateblu running in order to install the Splunk Event Collector plugin.

Gateblu Docs

Next you'll go to the forwarder.octoblu.com to install a Splunk Event Collector to your Gateblu and tie it to device subscriptions.

Using the forwarder app (forwarder.octoblu.com)

  1. Log into your Octoblu account at app.octoblu.com
  2. Navigate to Profile from the side-menu
  3. Grab your UUID
  4. Generate a TOKEN and hold on to it for the next step
582
  1. Navigate to forwarder.octoblu.com
  2. Log in using your UUID/TOKEN
533
  1. If you have any existing forwarders you will see them listed, otherwise click on "Create Forwarder"
476
  1. Name your Forwarder
669
  1. Select the datastore that you want to send messages to. In this case, Splunk
683
  1. You'll be prompted to enter your Splunk EventCollectorToken and URL
EventCollectorToken: This is generated by Splunk
SplunkEventUrl: <host>:<mPort>/services/collector/event

Example:

https://localhost:8088/services/collector/event
730
  1. A Splunk Event Collector plugin will be installed to your Gateblu - this may take a moment
714
  1. Select the devices you'd like your Splunk Event Collector to subscribe to.
958

Any messages sent to the Event Collector node will be posted to your HTTP Event Collector in Splunk and can now be searched via its index.

The forwarder site sets up specific devices to forward all messages to the event collector. With the Octoblu designer, you can drag your Event Collector Node into a flow and send messages to it directly as well.