Last year at .conf17, my team conducted a survey of customers. We asked for feedback on how to improve data ingestion into Splunk. We received lots of great ideas, and learned that one of the biggest challenges facing newer customers is “how do I start getting data into Splunk?”
We heard you ask if you should start with the Add Data screen or whether you should go to Splunkbase to select the source. Judging by the customers we talked with, you just want data flowing into Splunk so that you can get to that “aha moment”.
This reminds me of a personal project this past summer when I wanted to clean dirt and moss from my driveway. The day I was ready to start the project, I realized that I needed to assemble the pressure washer. The frustrating part was the assembly process took multiple tries because I did not have enough time to finish the assembly on my first try. After the assembly was complete, I achieved my goal of pressure washing my driveway. For me, this process was challenging because I needed to complete the pressure washing the day I brought the pressure washer home.
The experience fits the feedback that we received from you. You do not have a lot of time to spend on what it takes to ingest data, and there is not a unified user experience on how to get data into Splunk.
After I received your feedback, I decided to try ingesting data for myself. My goal was to ingest it from a Cisco ASA device, and I decided to start with the Add Data page, which you can see below.
When I got to this page, how to get data in from my Cisco ASA device was not obvious. How does Upload, Monitor or Forward relate to my goal of configuring my Cisco ASA device to send data to be indexed in Splunk? I was not certain.
So then I thought it must be covered on Splunkbase, because I knew about apps and add-ons on Splunkbase that can be download and installed on Splunk. I found the Splunk Add-on for Cisco ASA overview page, but it still was not clear how to use the Add Data page to install the app and configure the device to send data to Splunk.
As I read the overview page, I saw the “Installation and configuration overview for the Splunk Add-on for Cisco ASA”. This link provided me with some information, but I realized there was so much more that I need to understand before I could proceed. I needed to understand Search Heads, Indexers, Heavyweight Forwarders, Universal Forwarders, Light Forwarders, Search Head Clusters, Indexer Clusters, and the Deployment Server. After spending considerable time going through the documentation, most everything was there, but I had to piece together everything to create my own instructions. I also had the advantage that when I got stuck, I had experts readily available to answer my questions.
This exercise helped me understand the challenges of ingesting data into Splunk indexers. Based upon your feedback and my experience, we decided to build a guided experience for onboarding data, called Guided Data Onboarding (GDO).
Introducing Guided Data Onboarding
You are probably asking “what is Guided Data Onboarding (GDO)?” GDO is end-to-end, task-based guidance that starts from the Add Data page in Splunk Web. This new experience provides a guided experience for configuring and installing Splunk add-ons for your specific Splunk deployment environment. If you have a Splunk deployment up and running, and you have an admin (or equivalent) role that lets you install add-ons, you can use these guides to get popular data sources into your Splunk platform deployment.
To access the new Guided Data Onboarding feature, select the Add Data Screen from your home page in Splunk Web. You can either search for a data source or explore different categories of data sources. Currently, the categories are Networking, Operating System and Security.
If you are comfortable using the past approach, it is still available to you—see the section that follows the orange rectangle.
When you use Guided Data Onboarding, after you select your data source, you must select a deployment scenario. Then, you can view diagrams and high-level steps to set up and configure your data source. As you can see from the screenshot below, this guided experience provides high level steps for installing and configuring a Cisco ASA appliance to send data to Splunk, versus the experience where I had to put this together myself.
If you need more details, follow the Splunk Web links to documentation that explains how to set up and configure your data source in greater detail. You can find all the Guided Data Onboarding manuals by clicking the Add data tab on docs.splunk.com. We also provide a simple SPL query so that you can verify that your data has been successfully ingested into Splunk.
Supported data sources and deployment scenarios
At the time of this writing, Splunk is supporting Guided Data Onboarding for six data sources: Cisco Adaptive Security Appliance (ASA), Palo Alto Networks, Microsoft Windows, McAfee ePO AV and Intrushield, Microsoft Active Directory (AD), and Symantec Endpoint Protection.
For each data source, Splunk also currently supports Guided Data Onboarding for three deployment environments: single instance deployments, distributed deployments that leverage indexer clustering, and managed Splunk Cloud deployments.
My ask of you is that you start using the Guided Data Onboarding feature. Let us know if you get to that “aha moment” faster using Guided Data Onboarding. You should also stay tuned to this blog as we continue to find ways to make it easier to ingest data into Splunk.