In order to see Thundra data on your Splunk instance there are three steps you will need to complete.
In order to run Thundra Integrator for the Splunk AMI, you will need to the Thundra License Key. Please fill the form in this page, and we will contact you with your license key shortly.
Thundra provides an AWS CloudFormation template to easily set up your integration.
Below is the deployment topology created from the CloudFormation template. It includes:
- The Thundra Receiver App that collects, transforms and aggregates data from the Thundra Lambda agent.
- The Splunk universal forwarder that sends that data to your Splunk instance.
- A data volume that temporarily stores the files and data collected from the Thundra agent. This data volume cleanses the Thundra data hourly.
To deploy the Thundra Integration for Splunk AMI:
- Access AWS CloudFormation console
Specify an Amazon S3 template URLand enter
https://s3-us-west-2.amazonaws.com/thundra-splunk-integrator/thundra-splunk-cf-template.jsonon which we host the CloudFormation template.
- Fill out the template:
- Enter a Stack Name (Example: thundra-splunk-forwarder)
- Optional: Enter an EBS Volume Size (Default: 50GBs. We are cleaning the data written here hourly, so we thought that 50GBs is enough. Please feel free to adjust this size for your expected hourly data volumes.)
- Select Enable HTTPS to enable or disable SSL with a self signed certificate
- Select the appropriate EC2 KeyPair name to enable SSH access to your EC2 instance
- Enter your Splunk Admin password for your Splunk Deployment
- Enter the IP address range that your EC2 instance will have SSH access to
- Enter optional API Key Prefix and/or API Key values.
- These API keys are used to update the Thundra agent to send data to the Thundra-Splunk Integrator instead of the Thundra Web Console.
- Enter API Key Prefix. Any Thundra agents that uses this API key prefix will be allowed to send data to the Thundra-Splunk Integrator.
- Enter allowed API Keys. Any Thundra agent that uses this explicitly set API key will be able to send data to the Thundra-Splunk Integrator. Enter API Key(s) as a comma separated list.
- Enter a Stack Name (Example: thundra-splunk-forwarder)
If you do not provide an API key or API key prefix the Thundra-Splunk Integrator will accept data without any authentication. We highly discourage this approach as it is not considered best practice.
** IMPORTANT**: Record your API key information!
Write down or record your API key prefix or API keys!!! You will need to enter them into the Thundra agent YML file in Step 3 of the setup.
- Enter the Thundra license key created from the Thundra Web Console
- Enter the port number through which Thundra-Splunk Integrator will receive the Thundra agent data
- Select your EC2 instance type
Below is a list of the parameters and value requirements needed to fill out the CloudFormation template:
||Size of the attached EBS volume in GBs||Numeric value||50|
||To run Thundra receiver over HTTPS with a self signed certificate, set this parameter to true||true/false||false|
||Keypair name for SSH into EC2 server||AWS EC2 KeyPair values in the region||Empty|
||Admin password for Splunk.||8-32 characters, alphanumeric only||Empty|
||Host name or IP address of Splunk server where data will be forwarded to||Valid IPV4 IP address or hostname||Empty|
||The IP address range that is allowed to SSH to the EC2 instances||Valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.||0.0.0.0/0|
||Prefix of API keys from which the Thundra-Splunk Integrator will receive data. For example, if you set the API key prefix to
||Comma (',') separated list of API keys from which the Thundra-Splunk Integrator will receive data. For example,
||License key for the Thundra-Splunk Integrator can be generated from Thundra Web Console.||Alphanumeric value||Empty|
||Port number for Thundra-Splunk Integrator to receive data over HTTP/HTTPS||Numeric value between 1024 and 65536||8080|
||The IP address range that is allowed to send data the Thundra Receiver||Must be a valid IP CIDR range of the form x.x.x.x/x.||0.0.0.0/0|
||EC2 instance type||Supported AWS EC2 instance types||d2.xlarge|
- When you are finished filling out the template, click
While it is best practice to set tags for your EC2 instance, you are not required to do so to set up this Thundra-Splunk Integration. These options are specific to CloudFormation. For a detailed explanation see the AWS CloudFormation docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html
Nextto move into the Review screen.
On the Review screen, review your stack details. When ready, click
Createon the lower right corner of the screen to deploy your stack.
Now that the stack creation is complete, you need to send data to the Thundra-Splunk Integrator by updating your publish base URL and API key.
- If this is your first time using Thundra, you will also need to set up the Thundra agents. Otherwise, if you are already have using Thundra with the web console, these steps will re-direct data to the Thundra-Splunk Integrator instead of the Thundra Web Console
Set up your Thundra agents if this is your first time using Thundra
Find the endpoint URL for your Thundra-Splunk Integrator in the
Output tab of your CloudFormation stack.
The format should be: <URLofYourThundraSplunkIntegratorInstance>/api.
Now, navigate to your Thundra Lambda environment variable configuration and change the API key and publish base URL.
thundra_apiKey values that you entered during the CloudFormations template set up and
thundra_agent_lambda_report_rest_baseUrl that you obtained from the Output tab in the CloudFormation stack.
Save in the upper right corner of your Thundra Lambda environment variable configuration.
You are now set up for Thundra-Splunk integration!
After successfully deploying the Thundra-Splunk Integrator CloudFormation stack, an EC2 instance will be launched with name
Thundra Splunk Receiver & Forwarder.
After redeploying your Thundra Lambda with these modifications, you will be able to see the Lambda data in your Thundra Serverless Observability for Splunk App or your custom Splunk visualizer app within approximately 5 minutes. Please visit Splunk Application doc to learn more about how to use the visualization application.
Restarting `Thundra Splunk Receiver & Forwarder`
If you stop the EC2 instance and restart it at some point, you will need to manually start the server again. Refer to the following section for steps on how to do it. Moreover, DNS server address can also change, so make sure you update
thundra_lambda_publish_rest_baseUrl in this case with the new address.
To manually start and stop your Thundra-Splunk Integrator instance :
- SSH into your EC2 instance with the KeyPair you entered into the CloudFormation template
- Go to
- To start your instance: Run
- To stop your instance: Run