How to set up Splunk

This guide will provide step-by-step instructions on how to set up Splunk Indexes and an HTTP Event Collector, enabling you to easily view Fabric Events and Metrics. You will create two Indexes—one for Metrics and one for Events—and configure the settings for data retention and storage. You can use the Index and HTTP Event Collector Token Details in the following POST /fabric/v4/streamSubscriptions request.

curl –X
POST 'https://api.equinix.com/fabric/v4/streamSubscriptions'
-H 'Content-Type: application/json'
-H ' Authorization: Bearer <bearer token="">’
-d '{
"type": "STREAM_SUBSCRIPTION",
"name": "<subscription_name>",
"description": "subscription_desc",
"stream": {
"uuid": "<stream_id>"
},
"sink": {
"uri": "<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>",
"type": "SPLUNK_HEC",
"settings": {
"eventIndex": "<name_of_eventindex>",
"metricIndex": "<name_of_metricindex>",
"source": "<name_of_splunk_hec>"
},
"credential": {
"type": "ACCESS_TOKEN",
"accessToken": "Splunk <splunk_access_token>"
}
}
}'</splunk_access_token></name_of_splunk_hec></name_of_metricindex></name_of_eventindex></endpoint></port></host></protocol></stream_id></subscription_name></bearer>

Step-by-Step Instructions

1. Log in and Navigate to the Home Page 

• Start by logging in to your Splunk instance.
• Once logged in, go to the Home page.

2. Access the Settings

• On the Home page, click on Settings in the top menu
• In the Settings menu, navigate to Indexes under the "Data" section.

3. Create an Event Index

• On the Indexes Page, click on New Index to create a new index. 

3.1 Select Event Index Data Type

• Index Data Type: Events Index Data Type is selected by default. 

3.2 Name the Event Index

• Name: Enter a name for your Event Index

3.3 Set Data Size Limit

• Data Size: Set the data size limit for the Index. For example, you can set it to 100MB.

3.4 Configure Retention Policy

• Retention Policy: Set the retention policy, i.e. 30 days. This means that data older than 30 days will be automatically deleted from the Index. 

3.5 Set Dynamic Data Storage

• Dynamic Data Storage: Leave the settings as default for dynamic data storage. This ensures that your data is stored efficiently based on Splunk's default storage configuration.
• You will use above Event Index Name later in the POST /fabric/v4/streamSubscriptions request.

4. Create a Metric Index

• On the indexes page, click on New Index to create a new Index.

4.1 Select Metrics Index Data Type

• Index Data Type: Select Metrics Index Data Type.

4.2 Name the Metric Index

• Name: Enter a name for your Metric Index

4.3 Set Data Size Limit

• Data Size: Set the data size limit for the Index. For example, you can set it to 100 MB.

4.4 Configure Retention Policy

• Retention Policy: Set the retention policy, i.e. 30 days. Thsi means that data older than 30 days will be automatically deleted from the index.

4.5 Set Dynamic Data Storage

• Dynamic Data Storage: Leave the settings as default for dynamic data storage. This ensures that your data is stored efficiently based on Splunk's default storage configuration.
• You will use above Metric Index Name later in the POST /fabric/v4/streamSubscriptions request

5. Generate a HTTP Event Collector Token Value

• Ensure that the token values generated during this process are saved securely. These tokens may be required for further integration or for data ingestion processes.

5.1 Navigate to the Splunk Home Page

• On the Home Page, go to Settings in the top menu
• Under the "Data" section, click on Data Inputs

5.2 Select HTTP Event Collector

• In the Data Inputs section, select HTTP Event Collector

5.3 Create an HTTP Event Collector Token

• Click the New Token button to start the setup processes for the HTTP Event Collector

5.4 Name the HTTP Event Collector

• On the Add Data page, the only required input is the name.
• Name: Enter a name for your HTTP Event Collector.

5.5 Complete the Setup

• After naming your HTTP Event Collector, click Next on the Select Source Step.
• Click Next on the Input Settings Step to review your configurations.
• Finally, click Submit on the Review Step to complete the setup.

5.6 Add the Event and Metrix Indexes to the HTTP Event Collector

• In HTTP Event Collector, click "edit" on your HTTP Event Collector.
• Select your event and metric indexes that you have created.
• Set the event index as your default index.

5.7 Copy the Token Value

• Once the setup is complete, a Token value will be generated.
• Copy this Token value to your clipboard, as it will be needed later for the POST streamSubscription API.

6. Create a Splunk Subscription

• Now that the Indexes and HTTP Event Collector are set up, call the POST fabric/v4/streamSubscriptions request.

Example: 

curl –X
POST 'https://api.equinix.com/fabric/v4/streamSubscriptions'
-H 'Content-Type: application/json'
-H ' Authorization: Bearer <bearer token="">’
-d '{
"type": "STREAM_SUBSCRIPTION",
"name": "<subscription_name>",
"description": "subscription_desc",
"stream": {
"uuid": "<stream_id>"
},
"sink": {
"uri": "<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>",
"type": "SPLUNK_HEC",
"settings": {
"eventIndex": "<name_of_eventindex>",
"metricIndex": "<name_of_metricindex>",
"source": "<name_of_splunk_hec>"
},
"credential": {
"type": "ACCESS_TOKEN",
"accessToken": "Splunk <splunk_access_token>"
}
}
}'</splunk_access_token></name_of_splunk_hec></name_of_metricindex></name_of_eventindex></endpoint></port></host></protocol></stream_id></subscription_name></bearer>

7. Search Events and Metrics

• Go to Home Page. Click on Search & Reporting. This will take you to a Splunk search page and search with your Event Index. E.g. index="". 
• Refer to the "Fabric Observability with Client Sink Integration" document for detailed instructions on how to receive Events using a specific Sink Type.

• Additionally, refer to Splunk Documentation to Search and Query for Metrics. 

Example: 

| mstats avg(_value) prestats=t WHERE index="<name_of_metric_index>” AND
metric_name="equinix.fabric.[port | connection | metro].*" span=1m by metric_name |
timechart avg(_value) as "Avg" span=1m by metric_name</name_of_metric_index>