Note Log sink publishing delays - I see an hour+ on certain sinks - when using pubsub we are near realtime

thank you team for - https://support.google.com/a/answer/7061566

Results

Log Sink to Dataflow (apache beam) pipeline to Http Endpoint Collector

Notes

check spec.disabled field found by Alain in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/680 around https://cloud.google.com/config-connector/docs/reference/resource-docs/logging/logginglogsink#custom_resource_definition_properties
check https://cloud.google.com/security-command-center/docs/how-to-notifications
UDF function to use with Splunk Dataflow template to transform events before delivery
https://gist.github.com/rarsan/8d630bb59217d389542025508ff110bc
https://github.com/GoogleCloudPlatform/terraform-splunk-log-export
https://cloud.google.com/dataflow/docs/guides/templates/provided/pubsub-to-splunk
2021 https://cloud.google.com/blog/products/data-analytics/whats-new-splunk-dataflow-template

splunk add on https://docs.splunk.com/Documentation/AddOns/released/GoogleCloud/About
pubsub to splunk dataflow template https://cloud.google.com/dataflow/docs/guides/templates/provided-templates#streaming-templates

Architecture/Requirements

multiple log aggregators are pulling from GCP - in this case QRadar and Splunk - therefore a way to duplicate the logs or pubsub messages across 2+ clients is required.
we can have 2 pubsub queues up with separate (duplicated) log sinks for each queue
later we can look at a queue supplying to 2 queues for both aggregators if required
FinOps should not be as affected if we limit the log sink retention as the source of truth will be the 3rd party aggregators not GCP

Support 3rd party log aggregation support for Splunk for example as a logging sync target

drive/shadow to https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/318

review splunk specific integrations

https://splunkbase.splunk.com/app/3088?_ga=2.266051020.2131231099.1699452385-302992155.1699452385&_gl=1*1oxfrkk*_ga*MzAyOTkyMTU1LjE2OTk0NTIzODU.*_ga_GS7YF8S63Y*MTY5OTQ1MjM4Ni4xLjAuMTY5OTQ1MjM4Ni42MC4wLjA.*_ga_5EPM2P39FV*MTY5OTQ1MjM4Ni4xLjEuMTY5OTQ1MjM4OS41Ny4wLjA.

review ELK stack export simulation

review IBM qradar integration https://www.ibm.com/docs/en/qradar-common?topic=collector-setting-maximum-eps-rate

Prepare for Splunk Cloud log shipping via org level log sink to pubsub target via dataflow cluster in PSC

Script in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/gh651-splunk

use as base https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh

export BOOT_PROJECT_ID=bigquery-ol
export PROJECT_ID=bigquery-ol

gcloud config set project $PROJECT_ID
export SUPER_ADMIN_EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
export ORGANIZATION_ID=$(gcloud projects get-ancestors $BOOT_PROJECT_ID --format='get(id)' | tail -1)
export PROJECT_NUMBER=$(gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)')

export NETWORK_NAME=hub
export SUBNET_NAME=hub-sn
export REGION=northamerica-northeast1
export INPUT_TOPIC_NAME=bqtopic 
export INPUT_SUBSCRIPTION_NAME=bqtopic-sub
export DEAD_LETTER_TOPIC_NAME=bq-dead-topic
export DEAD_LETTER_SUBSCRIPTION_NAME=bq-dead-topic-sub
export LOG_SINK_SERVICE_ACCOUNT=service-${PROJECT_NUMBER}@gcp-sa-logging.iam.gserviceaccount.com
export ORGANIZATION_SINK_NAME=org-sink-splunk

echo "BOOT_PROJECT: $BOOT_PROJECT_ID"
echo "PROJECT_ID: $PROJECT_ID"
echo "SUPER_ADMIN_EMAIL: $SUPER_ADMIN_EMAIL"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"
echo "PROJECT_NUMBER: $PROJECT_NUMBER"
echo "NETWORK_NAME: $NETWORK_NAME"
echo "SUBNET_NAME: $SUBNET_NAME"
echo "REGION: $REGION"
echo "INPUT_TOPIC_NAME: $INPUT_TOPIC_NAME"
echo "INPUT_SUBSCRIPTION_NAME: $INPUT_SUBSCRIPTION_NAME"
echo "DEAD_LETTER_TOPIC_NAME: $DEAD_LETTER_TOPIC_NAME"
echo "DEAD_LETTER_SUBSCRIPTION_NAME: $DEAD_LETTER_SUBSCRIPTION_NAME"
echo "LOG_SINK_SERVICE_ACCOUNT: $LOG_SINK_SERVICE_ACCOUNT"
echo "ORGANIZATION_SINK_NAME: $ORGANIZATION_SINK_NAME"

# enable services
gcloud services enable monitoring.googleapis.com
gcloud services enable secretmanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable pubsub.googleapis.com
gcloud services enable dataflow.googleapis.com

# grant roles
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/logging.configWriter --quiet > /dev/null 1>&1
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/compute.networkAdmin --quiet > /dev/null 1>&1
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/compute.securityAdmin --quiet > /dev/null 1>&1
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/secretmanager.admin --quiet > /dev/null 1>&1

gcloud compute networks create $NETWORK_NAME --subnet-mode=custom
gcloud compute networks subnets create $SUBNET_NAME \
--network=$NETWORK_NAME \
--region=$REGION \
--range=192.168.1.0/24

gcloud compute firewall-rules create allow-internal-dataflow \
--network=$NETWORK_NAME \
--action=allow \
--direction=ingress \
--target-tags=dataflow \
--source-tags=dataflow \
--priority=0 \
--rules=tcp:12345-12346

gcloud compute routers create nat-router \
--network=$NETWORK_NAME \
--region=$REGION

gcloud compute routers nats create nat-config \
--router=nat-router \
--nat-custom-subnet-ip-ranges=$SUBNET_NAME \
--auto-allocate-nat-external-ips \
--region=$REGION

gcloud compute networks subnets update $SUBNET_NAME \
--enable-private-ip-google-access \
--region=$REGION

gcloud pubsub topics create $INPUT_TOPIC_NAME
gcloud pubsub subscriptions create \
--topic $INPUT_TOPIC_NAME $INPUT_SUBSCRIPTION_NAME

echo "PROJECT_ID: $PROJECT_ID"
echo "INPUT_TOPIC_NAME: $INPUT_TOPIC_NAME"
gcloud logging sinks create $ORGANIZATION_SINK_NAME \
pubsub.googleapis.com/projects/${PROJECT_ID}/topics/${INPUT_TOPIC_NAME} \
--organization=$ORGANIZATION_ID \
--include-children \
--log-filter='NOT logName:projects/bigquery-ol/logs/dataflow.googleapis.com'

## fix project and topic rendering above

#gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
#--member=serviceAccount:service-951469276805@gcp-sa-logging.iam.gserviceaccount.com \
#--role=roles/pubsub.publisher

gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:${LOG_SINK_SERVICE_ACCOUNT} \
--role=roles/pubsub.publisher

gcloud pubsub topics create $DEAD_LETTER_TOPIC_NAME
gcloud pubsub subscriptions create --topic $DEAD_LETTER_TOPIC_NAME $DEAD_LETTER_SUBSCRIPTION_NAME

https://cloud.google.com/architecture/stream-logs-from-google-cloud-to-splunk/deployment

running

michael@cloudshell:~/bigquery-ol/pubsec-declarative-toolkit/solutions (bigquery-ol)$ ./setup-splunk-sink.sh 
Updated property [core/project].
BOOT_PROJECT: bigquery-ol
PROJECT_ID: bigquery-ol
SUPER_ADMIN_EMAIL: mi..ev
ORGANIZATION_ID: 583..68
PROJECT_NUMBER: 951469276805
NETWORK_NAME: hub
SUBNET_NAME: hub-sn
REGION: northamerica-northeast1
INPUT_TOPIC_NAME: bqtopic
INPUT_SUBSCRIPTION_NAME: bqtopic-sub
DEAD_LETTER_TOPIC_NAME: bq-dead-topic
DEAD_LETTER_SUBSCRIPTION_NAME: bq-dead-topic-sub
LOG_SINK_SERVICE_ACCOUNT: service-951469276805@gcp-sa-logging.iam.gserviceaccount.com
ORGANIZATION_SINK_NAME: org-sink-splunk
Operation "operations/acat.p2-951469276805-e274bf61-e2a0-461f-86e7-03a476cd3b27" finished successfully.
Operation "operations/acf.p2-951469276805-f4e3d475-3c23-494e-8a2b-84b1a67a5107" finished successfully.
Operation "operations/acf.p2-951469276805-d1965720-dd9c-4c5e-981b-eb96689b123f" finished successfully.
Updated IAM policy for organization [583675367868].
Updated IAM policy for organization [583675367868].
Updated IAM policy for organization [583675367868].
Updated IAM policy for organization [583675367868].

Created [https://www.googleapis.com/compute/v1/projects/bigquery-ol/global/networks/hub].
NAME: hub
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network hub --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network hub --allow tcp:22,tcp:3389,icmp

Created [https://www.googleapis.com/compute/v1/projects/bigquery-ol/regions/northamerica-northeast1/subnetworks/hub-sn].
NAME: hub-sn
REGION: northamerica-northeast1
NETWORK: hub
RANGE: 192.168.1.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 

Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/bigquery-ol/global/firewalls/allow-internal-dataflow].            
Creating firewall...done.                                                                                                                              
NAME: allow-internal-dataflow
NETWORK: hub
DIRECTION: INGRESS
PRIORITY: 0
ALLOW: tcp:12345-12346
DENY: 
DISABLED: False

Creating router [nat-router]...done.                                                                                                                   
NAME: nat-router
REGION: northamerica-northeast1
NETWORK: hub
Creating NAT [nat-config] in router [nat-router]...done.  

Updated [https://www.googleapis.com/compute/v1/projects/bigquery-ol/regions/northamerica-northeast1/subnetworks/hub-sn].
Created topic [projects/bigquery-ol/topics/bqtopic].
Created subscription [projects/bigquery-ol/subscriptions/bqtopic-sub].

Created [https://logging.googleapis.com/v2/organizations/583675367868/sinks/org-sink-splunk].
Please remember to grant `serviceAccount:service-org-583675367868@gcp-sa-logging.iam.gserviceaccount.com` the Pub/Sub Publisher role on the topic.
More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export

writer identity
serviceAccount:service-org-583675367868@gcp-sa-logging.iam.gserviceaccount.com

inclusion filter
NOT logName:projects/bigquery-ol/logs/dataflow.googleapis.com

fix project id

hardcoded project but there is an issue selecting the target - logs are ok, just need to fix queue topic selection

gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:${LOG_SINK_SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com \
--role=roles/pubsub.publisher
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.pubsub.topics.add-iam-policy-binding) INVALID_ARGUMENT: Invalid service account (service-951469276805@gcp-sa-logging.iam.gserviceaccount.com@bigquery-ol.iam.gserviceaccount.com).

fixed

gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:service-951469276805@gcp-sa-logging.iam.gserviceaccount.com \
--role=roles/pubsub.publisher

Updated IAM policy for topic [bqtopic].
bindings:
- members:
  - serviceAccount:service-951469276805@gcp-sa-logging.iam.gserviceaccount.com
  role: roles/pubsub.publisher
etag: BwYJvRbrKsU=
version: 1

Triage issue with sink service account permission on the PubSub topic

existing sink

Writer Identity serviceAccount:service-org-583...68@gcp-sa-logging.iam.gserviceaccount.com

PubSub topic

Testing

echo "Granting roles/pubsub.publisher to SA: ${LOG_SINK_SERVICE_ACCOUNT} on PubSub topic: ${INPUT_TOPIC_NAME}"
gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:${LOG_SINK_SERVICE_ACCOUNT} \
--role=roles/pubsub.publisher

Granting roles/pubsub.publisher to SA: service-951469276805@gcp-sa-logging.iam.gserviceaccount.com on PubSub topic: bqtopic
Updated IAM policy for topic [bqtopic].
bindings:
- members:
  - serviceAccount:service-951469276805@gcp-sa-logging.iam.gserviceaccount.com
  role: roles/pubsub.publisher
etag: BwYKNQy6cWo=
version: 1
michael@cloudshell:~/bigquery-ol/pubsec-declarative-toolkit/solutions (bigquery-ol)$

Service account is mismatched

service-org-583...68@gcp-sa-logging.iam.gserviceaccount.com instead of service-951...805@gcp-sa-logging.iam.gserviceaccount.com

export PUBSUB_WRITER_IDENTITY_SERVICE_ACCOUNT=service-org-${ORGANIZATION_ID}@gcp-sa-logging.iam.gserviceaccount.com
echo "Granting roles/pubsub.publisher to SA: $PUBSUB_WRITER_IDENTITY_SERVICE_ACCOUNT} on PubSub topic: ${INPUT_TOPIC_NAME}"
gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:${PUBSUB_WRITER_IDENTITY_SERVICE_ACCOUNT} \
--role=roles/pubsub.publisher

PUBSUB_WRITER_IDENTITY_SERVICE_ACCOUNT: service-org-58...868@gcp-sa-logging.iam.gserviceaccount.com
ORGANIZATION_SINK_NAME: org-sink-splunk
Granting roles/pubsub.publisher to SA: service-org-58...68@gcp-sa-logging.iam.gserviceaccount.com} on PubSub topic: bqtopic
Updated IAM policy for topic [bqtopic].
bindings:
- members:
  - serviceAccount:service-951...805@gcp-sa-logging.iam.gserviceaccount.com
  - serviceAccount:service-org-58...68@gcp-sa-logging.iam.gserviceaccount.com
  role: roles/pubsub.publisher
etag: BwYKNSG_KO0=
version: 1

Messages now

Forcing some logs via

SELECT * FROM `bigquery-ol.rollerblade.rollerblade` LIMIT 1000

2.7 messages / sec

Pulling messages

check https://docs.splunk.com/Splexicon:Heavyforwarder target instead of direct HEC

Splunk Cloud procedures:

https://cloud.google.com/architecture/stream-logs-from-google-cloud-to-splunk https://cloud.google.com/architecture/stream-logs-from-google-cloud-to-splunk/deployment secondary https://cloud.google.com/splunk

get the 14 day license from Splunk at https://www.splunk.com/en_us/get-started/cloud.html

Navigate to splunk cloud

https://prd-p-07o6m.splunkcloud.com user: sc_admin pw: usual aac

For Analysts

Improved home page experience for faster insights
Increased performance for searches using the lookup command with parallel reduce search processing
Efficient exports with autofill email delivery from the search and reporting app
Continuity across search heads with preserved search history
Dashboard Studio improvements for richer visualizations and workflow enhancements

For Admins

Easier configuration in Ingest Actions with the ability to control S3 output setup
Efficient TLS certificate refreshes that do not require restarting some configurations
Additional self-serviceability with UI to configure limits.conf
Support for multiple S3 bucket destinations in Ingest Actions
Data processing improvements with updates to the Edge Processor GUI pipeline
Greater control to deactivate federated providers, federated indexes, and transparent mode
Flexibility to choose to share a search itself instead of sharing the search as a job
Granular access controls that can be configured by role with Admin Config Service

Let's take a closer look at some of these updates!

For Analysts Improved [home page experience](https://proxy-esp.experienceservices.splunkdev.net/rte/v1/engagement/track?ei=2a706691-ec4d-4f77-a710-c83777e4ae18&ecoi=c2fcd5d4-abec-4d13-836f-6fb495a027d9&ent=3&evi=495821a6-74e1-402e-90f9-bf242e5ee619&ett=ENGAGEMENT_CLICK&exi=095213fa-64a2-4a0b-9e69-032c50649952&ext=1699547845706&acci=prd-p-07o6m&cosi=cdc8917b-feb7-4c46-bf34-e53e4b510935&cossn=0&gcx=%7B%22deploymentID%22%3A%22CLOUD-3bf234a57830f743d2f7a2ea175222c18dbf71418cf2923245ff3cf92156bd5d%22%2C%22experienceID%22%3A%22d3225649-b863-f5c8-fccf-50b7ef26773b%22%2C%22stackName%22%3A%22prd-p-07o6m%22%2C%22userID%22%3A%22a5893e589039086b3d41a90bda9ad37f29d835dba713bee181c1428158f29318%22%2C%22splunkVersion%22%3A%229.0.2303.202%22%2C%22splunkLocale%22%3A%22en-US%22%7D&p=AP-7SBC7L5BZ8ML-2&sv=0.50.0&v=AP-7SBC7L5BZ8ML-2-1699547844804-53821559&ai=b62f53f0-76cb-4e9f-b47d-171137d190ad&vt=2&s=AP-7SBC7L5BZ8ML-2-1699547844804-28547664&recId&ru=https%3A%2F%2Fwww.splunk.com%2Fen_us%2Fblog%2Fplatform%2Fyour-splunk-platform-ui-home-page-had-a-makeover.html) for faster insights Increased performance for searches using the lookup command with parallel reduce search processing Efficient exports with autofill email delivery from the search and reporting app Continuity across search heads with preserved search history [Dashboard Studio improvements](https://proxy-esp.experienceservices.splunkdev.net/rte/v1/engagement/track?ei=2a706691-ec4d-4f77-a710-c83777e4ae18&ecoi=c2fcd5d4-abec-4d13-836f-6fb495a027d9&ent=3&evi=495821a6-74e1-402e-90f9-bf242e5ee619&ett=ENGAGEMENT_CLICK&exi=095213fa-64a2-4a0b-9e69-032c50649952&ext=1699547845706&acci=prd-p-07o6m&cosi=cdc8917b-feb7-4c46-bf34-e53e4b510935&cossn=0&gcx=%7B%22deploymentID%22%3A%22CLOUD-3bf234a57830f743d2f7a2ea175222c18dbf71418cf2923245ff3cf92156bd5d%22%2C%22experienceID%22%3A%22d3225649-b863-f5c8-fccf-50b7ef26773b%22%2C%22stackName%22%3A%22prd-p-07o6m%22%2C%22userID%22%3A%22a5893e589039086b3d41a90bda9ad37f29d835dba713bee181c1428158f29318%22%2C%22splunkVersion%22%3A%229.0.2303.202%22%2C%22splunkLocale%22%3A%22en-US%22%7D&p=AP-7SBC7L5BZ8ML-2&sv=0.50.0&v=AP-7SBC7L5BZ8ML-2-1699547844804-53821559&ai=b62f53f0-76cb-4e9f-b47d-171137d190ad&vt=2&s=AP-7SBC7L5BZ8ML-2-1699547844804-28547664&recId&ru=https%3A%2F%2Fwww.splunk.com%2Fen_us%2Fblog%2Ftips-and-tricks%2Fdashboard-studio-show-or-hide-the-latest-features-in-splunk-cloud-platform-9-0-2303.html) for richer visualizations and workflow enhancements For Admins Easier configuration in Ingest Actions with the ability to control S3 output setup Efficient TLS certificate refreshes that do not require restarting some configurations Additional self-serviceability with UI to configure limits.conf Support for multiple S3 bucket destinations in Ingest Actions Data processing improvements with updates to the [Edge Processor](https://proxy-esp.experienceservices.splunkdev.net/rte/v1/engagement/track?ei=2a706691-ec4d-4f77-a710-c83777e4ae18&ecoi=c2fcd5d4-abec-4d13-836f-6fb495a027d9&ent=3&evi=495821a6-74e1-402e-90f9-bf242e5ee619&ett=ENGAGEMENT_CLICK&exi=095213fa-64a2-4a0b-9e69-032c50649952&ext=1699547845706&acci=prd-p-07o6m&cosi=cdc8917b-feb7-4c46-bf34-e53e4b510935&cossn=0&gcx=%7B%22deploymentID%22%3A%22CLOUD-3bf234a57830f743d2f7a2ea175222c18dbf71418cf2923245ff3cf92156bd5d%22%2C%22experienceID%22%3A%22d3225649-b863-f5c8-fccf-50b7ef26773b%22%2C%22stackName%22%3A%22prd-p-07o6m%22%2C%22userID%22%3A%22a5893e589039086b3d41a90bda9ad37f29d835dba713bee181c1428158f29318%22%2C%22splunkVersion%22%3A%229.0.2303.202%22%2C%22splunkLocale%22%3A%22en-US%22%7D&p=AP-7SBC7L5BZ8ML-2&sv=0.50.0&v=AP-7SBC7L5BZ8ML-2-1699547844804-53821559&ai=b62f53f0-76cb-4e9f-b47d-171137d190ad&vt=2&s=AP-7SBC7L5BZ8ML-2-1699547844804-28547664&recId&ru=https%3A%2F%2Fwww.splunk.com%2Fen_us%2Fblog%2Fplatform%2Fintroducing-edge-processor-next-gen-data-transformation.html) GUI pipeline Greater control to deactivate federated providers, federated indexes, and transparent mode Flexibility to choose to share a search itself instead of sharing the search as a job Granular access controls that can be configured by role with Admin Config Service Let's take a closer look at some of these updates! ## Splunk Connection to PubSub - via HEC Navigate to settings | data inputs | HTTP Event Collector Screenshot 2023-11-09 at 11 40 21

## 20231115: move to splunk HEC now that we have messaging queuing in the PubSub topic Screenshot 2023-11-15 at 13 43 22

Splunk push method - step 2 - DataFlow pipeline to HEC

follow after PubSub queue up above https://cloud.google.com/dataflow/docs/guides/templates/provided/pubsub-to-splunk

# gcloud TODO - bigquery-ol-dataflow bucket with staging folder

export JOB_NAME=dataflowbq
export REGION_NAME=$REGION
# see  gs://dataflow-templates-northamerica-northeast1
export VERSION=latest
export STAGING_LOCATION=gs://bigquery-ol-dataflow/staging
#export INPUT_SUBSCRIPTION_NAME=
export SPLUNK_HEC_TOKEN=
export SPLUNK_HEC_URL=https://splunk-hec-host:8088
export DEADLETTER_TOPIC_NAME=$DEAD_LETTER_TOPIC_NAME
export JAVASCRIPT_FUNCTION=myTransform
export PATH_TO_JAVASCRIPT_UDF_FILE=gs://my-bucket/my-udfs/my_file.js
export BATCH_COUNT=1
export PARALLELISM=2
export DISABLE_VALIDATION=true
# optional
export ROOT_CA_CERTIFICATE_PATH=gs://your-bucket/privateCA.crt

gcloud dataflow jobs run $JOB_NAME \
    --gcs-location gs://dataflow-templates-$REGION_NAME/$VERSION/Cloud_PubSub_to_Splunk \
    --region $REGION_NAME \
    --staging-location $STAGING_LOCATION \
    --parameters \
inputSubscription=projects/$PROJECT_ID/subscriptions/$INPUT_SUBSCRIPTION_NAME,\
token=$SPLUNK_HEC_TOKEN,\
url=$SPLUNK_HEC_URL,\
outputDeadletterTopic=projects/$PROJECT_ID/topics/$DEADLETTER_TOPIC_NAME,\
javascriptTextTransformGcsPath=$PATH_TO_JAVASCRIPT_UDF_FILE,\
javascriptTextTransformFunctionName=$JAVASCRIPT_FUNCTION,\
batchCount=$BATCH_COUNT,\
parallelism=$PARALLELISM,\
disableCertificateValidation=$DISABLE_VALIDATION,\
rootCaCertificatePath=$ROOT_CA_CERTIFICATE_PATH

nput Type
Token
Name
hec-token
Source name override
N/A
Description
N/A
Enable indexer acknowledgements
Yes
Allowed indexes
historylastchanceindexmainsummary
Default index
history
Source Type
Automatic
App Context
launcher

Test the HEC collector

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/UsetheHTTPEventCollector

https://prd-p-07o6m.splunkcloud.com/en-US/manager/search/http-eventcollector

michaelobrien@mbp7 rest-client-java % curl https://prd-p-07o6m.splunkcloud.com/hec-token -H "Authorization: Splunk fbaac76f-69fe-430a-9959-e9644bee88fd" -d '{"event": "hello world"}'
Invalid language specified%

michaelobrien@mbp7 rest-client-java % curl -v https://prd-p-07o6m.splunkcloud.com:8088/hec-token -H "Authorization: Splunk fbaac76f-69fe-430a-9959-e9644bee88fd" -d '{"event": "hello world"}'
*   Trying 35.171.229.88:8088...
* Connected to prd-p-07o6m.splunkcloud.com (35.171.229.88) port 8088 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl https://prd-p-07o6m.splunkcloud.com:8088/services/collector/hec-token -H "Authorization: Splunk fbaac76f-69fe-430a-9959-e9644bee88fd" -d '{"protoPayload": {   "@type": "type.googleapis.com/google.cloud.audit.AuditLog",   "authenticationInfo":       "principalEmail": "michael@obrienlabs.dev"   },   "requestMetadata": {     "callerIp": "174.112.128.160"      "requestAttributes": {        "time": "2023-11-17T16:59:08.029271Z",        "auth": {}      },      "destinationAttributes": {}    },    "serviceName": "cloudbilling.googleapis.com",    "methodName": "ListBillingAccounts",    "authorizationInfo": [      {        "resource": "organizations/583675367868",        "permission": "billing.accounts.list",        "granted": true,        "resourceAttributes": {}      },      {        "resource": "billingAccounts/019D0C-A1B72A-4BC522",        "permission": billing.accounts.get",        "granted": true,        "resourceAttributes": {}      },      {        "resource": "billingAccounts/019283-6F1AB5-7AD576",        "permission": "billing.accounts.get",        "granted": true,        "resourceAttributes": {}      }    ],    "resourceName": "organizations/583675367868",    "request": {      "excludeProjectLookups": true,      "organizationName": "organizations/583675367868",      "@type": type.googleapis.com/google.internal.cloudbilling.billingaccount.v1.ListBillingAccountsRequest",      "pageSize": 1000    }  },  "insertId": "-2ruh4jcnoi",  "resource": {    "type": "organization",    "labels": {      "organization_id": 583675367868" }  },  "timestamp": "2023-11-17T16:59:07.950674Z",  "severity": "INFO",  "logName": organizations/583675367868/logs/cloudaudit.googleapis.com%2Fdata_access",  "receiveTimestamp": "2023-11-17T16:59:08.944678641Z"}'

{"protoPayload": {   "@type": "type.googleapis.com/google.cloud.audit.AuditLog",   "authenticationInfo":       "principalEmail": "michael@obrienlabs.dev"   },   "requestMetadata": {     "callerIp": "174.112.128.160"      "requestAttributes": {        "time": "2023-11-17T16:59:08.029271Z",        "auth": {}      },      "destinationAttributes": {}    },    "serviceName": "cloudbilling.googleapis.com",    "methodName": "ListBillingAccounts",    "authorizationInfo": [      {        "resource": "organizations/583675367868",        "permission": "billing.accounts.list",        "granted": true,        "resourceAttributes": {}      },      {        "resource": "billingAccounts/019D0C-A1B72A-4BC522",        "permission": billing.accounts.get",        "granted": true,        "resourceAttributes": {}      },      {        "resource": "billingAccounts/019283-6F1AB5-7AD576",        "permission": "billing.accounts.get",        "granted": true,        "resourceAttributes": {}      }    ],    "resourceName": "organizations/583675367868",    "request": {      "excludeProjectLookups": true,      "organizationName": "organizations/583675367868",      "@type": type.googleapis.com/google.internal.cloudbilling.billingaccount.v1.ListBillingAccountsRequest",      "pageSize": 1000
    }  },  "insertId": "-2ruh4jcnoi",  "resource": {    "type": "organization",    "labels": {      "organization_id": 583675367868"
    }  },  "timestamp": "2023-11-17T16:59:07.950674Z",  "severity": "INFO",  "logName": organizations/583675367868/logs/cloudaudit.googleapis.com%2Fdata_access",  "receiveTimestamp": "2023-11-17T16:59:08.944678641Z"}

triaging (CERT issue should be solved by token - via https://community.splunk.com/t5/Getting-Data-In/Using-Splunk-HEC-and-validating-Certificates/m-p/563088

michaelobrien@mbp7 rest-client-java % curl -k https://prd-p-07o6m.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk fbaac76f-69fe-430a-9959-e9644bee88fd" -d '{"event": "hello world"}'
{"text":"Data channel is missing","code":10}%

could be

User 'admin' triggered the '_reload' action on app 'splunk_monitoring_console', and completing an implicit app deletion requires restart
11/17/2023, 7:27:09 PM
Splunk must be restarted for changes to take effect. Contact Splunk Cloud Support to complete the restart.
11/7/2023, 2:58:45 AM

Attempting manually

exported CLI

gcloud dataflow jobs run console --gcs-location gs://dataflow-templates-northamerica-northeast1/latest/Cloud_PubSub_to_Splunk --region northamerica-northeast1 --staging-location gs://bigquery-ol-dataflow/staging/ --additional-user-labels {} --parameters inputSubscription=projects/bigquery-ol/subscriptions/bqtopic-sub,token=fbaac76f-69fe-430a.....ee88fd,url=https://prd-p-07o6m.splunkcloud.com:8088,enableBatchLogs=true,enableGzipHttpCompression=true,javascriptTextTransformReloadIntervalMinutes=0,outputDeadletterTopic=projects/bigquery-ol/topics/bq-dead-topic

trying to determine actual messages getting through to the HEC

Splunk push from PubSub via Dataflow (Apache BEAM) looks to be working - just verifying the Splunk Cloud end

Run some more BigQuery queries to push some more logs

GoogleCloudPlatform / pubsec-declarative-toolkit

PubSub export queue of Org Logging Sink to 3rd party aggregators (Splunk HEC, IBM QRadar, ELK stack) #651