Learning Library

← Back to Library

On-Prem Analytics Offload Demo with Splunk

3m • Unknown Channel • devops • tutorial • intermediate • Watch on YouTube ↗

Key Points

The new 5070 on‑prem analytics offload feature adds a Settings → Analytics tab that supports four event types (API, monitoring, log, and audit) and lets users choose a default output or a secondary export to a third‑party system.
Four export destinations are available—Elasticsearch, Kafka, CIS log, and HTTP—allowing flexible integration with external analytics platforms.
In the demo, monitoring events are routed via the CIS log output to Splunk by simply configuring host, port, protocol, and optional SSL settings, then verifying with a test event.
API events are sent to Splunk through an HTTP output that requires specifying the URL, TLS profile, and custom headers (authorization and request channel) before confirming successful delivery by invoking the API and viewing the events in Splunk.

Sections

00:00:00 On‑Prem Analytics Offload Demo - Mark Nesbet demonstrates the new 5070 on‑prem analytics offload feature, walking through event‑type settings, default and secondary export options (Elasticsearch, Kafka, CIS log, HTTP) and showing how to route API and monitoring events to Splunk via HTTP and CIS log.

Full Transcript

# On-Prem Analytics Offload Demo with Splunk **Source:** [https://www.youtube.com/watch?v=5SoklXsrNO0](https://www.youtube.com/watch?v=5SoklXsrNO0) **Duration:** 00:03:17 ## Summary - The new 5070 on‑prem analytics offload feature adds a Settings → Analytics tab that supports four event types (API, monitoring, log, and audit) and lets users choose a default output or a secondary export to a third‑party system. - Four export destinations are available—Elasticsearch, Kafka, CIS log, and HTTP—allowing flexible integration with external analytics platforms. - In the demo, monitoring events are routed via the CIS log output to Splunk by simply configuring host, port, protocol, and optional SSL settings, then verifying with a test event. - API events are sent to Splunk through an HTTP output that requires specifying the URL, TLS profile, and custom headers (authorization and request channel) before confirming successful delivery by invoking the API and viewing the events in Splunk. ## Sections - [00:00:00](https://www.youtube.com/watch?v=5SoklXsrNO0&t=0s) **On‑Prem Analytics Offload Demo** - Mark Nesbet demonstrates the new 5070 on‑prem analytics offload feature, walking through event‑type settings, default and secondary export options (Elasticsearch, Kafka, CIS log, HTTP) and showing how to route API and monitoring events to Splunk via HTTP and CIS log. ## Full Transcript

0:05hello my name is Mark nesbet I work for 0:07the analytics team and today I'll be 0:09doing a very brief demo of the new 5070 0:11on-prem only analytics offload 0:14feature as you see I'm currently logged 0:16into the cloud Management console for 0:18the on-prem system if you navigate to 0:21settings analytics this is a new tab 0:24we've introduced in 0:255070 looking closely we support four 0:28event types API events 0:30monitoring events which is Gateway and 0:33management node performance related data 0:36log events are typically sent from the 0:38Gateway and include error conditions and 0:40other log events audit events are 0:43typically show up in the notifications 0:44bar up top here and CMC UI and API UI 0:48and include things as notifications when 0:50an organization is created or an API is 0:54published uh the for each API for each 0:57event type the user can either configure 0:59the default analytics output which is 1:01the default out of the box or they can 1:04optionally select a second export option 1:06to a third party 1:08system the four output types we include 1:11are elastic search Kafka CIS log and 1:16HTTP for the demo I'm just going to show 1:19you how we can export API events to 1:21through the HP output to Splunk and also 1:24additionally show how we can export 1:26monitor events through CIS log to Splunk 1:29as well taking a look at the CIS log 1:31configuration first you can see that the 1:33configuration is pretty straightforward 1:36you just hit configure come in select a 1:38host Port protocol optionally includes 1:41some SSL related information and hit 1:43update the user can also send a test 1:46event to verify that their connection 1:47information is correct I've already 1:50configured this and it's already running 1:51so if I come into Splunk here and look 1:54for the data summary and go into the 1:56sources you can see here's my CIS log 1:58listener 2:01and you can see here's the actual 2:03performance monitoring events received 2:05by 2:07Splunk coming 2:09back for the API events um I've already 2:13configured an HTTP output for API events 2:17the configuration is a little bit more 2:18complex uh we must specify an H URL I've 2:21shown an example with SSL configured 2:24using the default TLS 2:26profile I've also had to add a couple 2:29HTTP headers to connect to Splunk uh one 2:31is an authorization header to authorize 2:34with the Splunk server and the second 2:36one is the request Channel which helps 2:38Splunk determine where to send the 2:40actual analytics 2:41data this is also configured so if I 2:44come in here and invoke my API a few 2:49times we should now be able to go back 2:51into Splunk go back into the 2:55search here's the configured HTTP output 2:58token click here and you should be able 3:02to see the actual two or three events 3:04I've just 3:06published and that incl concludes my 3:08demo for today thank 3:14you