I'm a bit confused about how to stream data from AWS Firehose into Splunk. Specifically, do we need to inform Splunk about our Firehose setup, or is it enough just to provide the HEC token and the URL? I thought that as long as we had the necessary HEC credentials, Firehose should be able to send data without needing any special access enabled on Splunk's end. However, I came across a Terraform example from Disney that mentions needing to enable the CIDR blocks from which the Firehose will send data on the Splunk side. I'm trying to clarify what Splunk needs to set up on their end besides just providing us with the HEC token and URL. I'm familiar with the AWS requirements but unclear about the Splunk side since we might not have control over it or be able to add plugins.
1 Answer
To send AWS data to Splunk, it's best to utilize their built-in options, which include a Terraform module for this purpose. This method uses AWS role assumption so that you can manage a limited role to conduct the data stream. If you're sending your own data through Firehose, then yes, just the HTTP endpoint and HEC token should suffice, especially if your configuration pointed to an existing index in Splunk. But remember, to get your data into Firehose, you'll still need to set up IAM permissions as usual.
I’m leaning towards using my own sources for data. Why does the Disney Terraform mention that you must expose the public CIDRs on the Splunk side? Also, can you explain what you mean by 'default support' or the Terraform module? I mostly find AWS examples or Disney-sourced ones.