Currently I have a security appliance sending JSON data via HTTP POST to an all-in-one stand alone Splunk test instance.
Now I want to send the JSON data to an intermediate Heavy Forwarder in production (which feeds the indexers).
The test instance is receiving the json data via HTTP POST. A Splunk user account was created to pass the RESTful API data with a RESTfulAPI role and edit_tcp capabilities. The security appliance is configured with the username and password created previously, and is sending data to:
https://:/services/receivers/simple? host=&source=wmps sourcetype=fe_json
The stand alone test instance has an enabled receiver directly on the indexer (I believe) and receives the data without a problem.
At this point I need to reconfigure the security appliance to send data to the heavy fwdr and I am not sure how to set up a receiver on the heavy forwarder so that it will act the same as the test instance. After the connection is established I would like to edit down the amount of data from the security appliance to only the desired fields by changing the .conf files.
Any advice or reference is appreciated.
Thank you
Thank you
↧