Splunk is a very popular tool which can be configured to forward all or a subset of your data to Loom.

To setup forwarding, you will need to configure your Splunk Forwarders.

Recommended - Forward from Indexers /  Heavy forwarders

Splunk indexer can also act as a Heavy Forwarder. This section applies to both.

This guide assumes that an environment variable named $SPLUNK_HOME exists. In *nix, it would typically point to /opt/splunk. If running Splunk on Windows, please replace "/" with "\" in all below snippets.

Open a terminal and connect to your Splunk Forwarder. Edit the outputs.conf file, located at:

$SPLUNK_HOME/etc/system/local/outputs.conf

You might have to merge the following with your existing configuration if you already nave any outputs configured. The Loom stanzas should appear as following:

[syslog]
defaultGroup=loom

[syslog:loom]
server = {{server}}:{{port}}

Replace {{server}} with the IP of your Loom server, or your data-url if you're using the SaaS version (e.g. mydomain-data.loomsystems.com).
Replace {{port}} with the port you configured in Loom, or 514 if using the SaaS version.

Finally, restart the forwarder by running:

$SPLUNK_HOME/bin/splunk restart splunkd

Optionally, open the log and look for "Output" related lines. The file is located under:

$SPLUNK_HOME/var/log/splunk/splunkd.log

Forwarding without indexing

 If the data you would like to forward to Loom isn't already in Splunk, and you wish to avoid using your Indexers to save on Splunk usage, you can use the indexAndForward=false option, as documented here.

Forward a subset of the data

You can filter what is being forwarded to Loom by creating a transformation and applying it to hosts, data-inputs and source-types in props.conf. See more details here.

Forward over a secure tunnel

As far as we can tell, Splunk does not support Syslog over SSL. in order to encrypt the communications between your forwarder and Loom, you will need to setup a Syslog relay. A Loom representative would love to assist you configure that and ensure your data security.

Alternative approach - Forward from Light/Universal forwarders

Light and Universal forwarders do not support Syslog output, and can only output raw data which will be missing important metadata, such as the host that sent the message.
To use these forwarders, configure your TCP output as follows -

To encrypt the traffic
First click here to download the Root CA file and place it under (create the directory if necessary):

$SPLUNK_HOME/etc/certs/

Next, run the following two commands (the second command will prompt for a password, which will later be required, so take a note):

$SPLUNK_HOME/bin/genRootCA.sh -d /opt/splunk/etc/certs/
$SPLUNK_HOME/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n forwarder -p

Add the output
Edit the outputs.conf file, located at:

$SPLUNK_HOME/etc/system/local/outputs.conf

You might have to merge the following with your existing configuration if you already nave any outputs configured. The Loom stanzas should appear as following:

[tcpout]
indexAndForward = 1

[tcpout:fastlane]
server = {{ip}}:{{port}}
sendCookedData = false
sslCertPath = $SPLUNK_HOME/etc/certs/forwarder.pem
sslPassword =
sslRootCAPath = $SPLUNK_HOME/etc/certs/loom.crt
compressed = false
enabled = true

Replace {{server}} with the IP of your Loom server, or your data-url if you're using the SaaS version (e.g. mydomain-data.loomsystems.com).
Replace {{port}} with the port you configured in Loom, or 9999 if using the SaaS version.
If you don't  wish to use encryption, simply remove all the properties that begin with "ssl".

Finally, restart the forwarder by running:

$SPLUNK_HOME/bin/splunk restart splunkd

Did this answer your question?