Our Windows and Custom Windows Events packages both include our experimental Splunk API input. We include a Splunk section within the package description, but it's causing some confusion among users and needs to be updated.
Current text:
Splunk Enterprise
To configure Splunk Enterprise to be able to pull events from it, please visit Splunk docs for details. The integration requires events in XML format, for this renderXml option needs to be set to 1 in your inputs.conf.
Updated text (suggested):
Ingesting Windows Events via Splunk
This integration offers the ability to seamlessly ingest data from a Splunk Enterprise instance. These integrations work by using the httpjson input in Elastic Agent to run a Splunk search via the Splunk REST API and then extract the raw event from the results. The raw event is then processed via the Elastic Agent. The Splunk search is customizable and the interval between searches is customizable. For more information on the Splunk API integration please see here.
This integration requires Windows Events from Splunk to be in XML format. To achieve this, renderXml needs to be set to 1 in your inputs.conf file.
Our Windows and Custom Windows Events packages both include our experimental Splunk API input. We include a Splunk section within the package description, but it's causing some confusion among users and needs to be updated.
Current text:
Splunk Enterprise
To configure Splunk Enterprise to be able to pull events from it, please visit Splunk docs for details. The integration requires events in XML format, for this renderXml option needs to be set to 1 in your inputs.conf.
Updated text (suggested):
Ingesting Windows Events via Splunk
This integration offers the ability to seamlessly ingest data from a Splunk Enterprise instance. These integrations work by using the httpjson input in Elastic Agent to run a Splunk search via the Splunk REST API and then extract the raw event from the results. The raw event is then processed via the Elastic Agent. The Splunk search is customizable and the interval between searches is customizable. For more information on the Splunk API integration please see here.
This integration requires Windows Events from Splunk to be in XML format. To achieve this,
renderXmlneeds to be set to 1 in your inputs.conf file.