Configure Splunk Firehose Nozzle Release as a Cloud Foundry application

You can configure the splunk-firehose-nozzle community application to send your Cloud Foundry Enterprise Environment component metrics, application logs, and application metrics to Splunk.

Before you install the Splunk Firehose Nozzle app, you must install Splunk in a container. If you have not installed Splunk, you can install it by using Docker. If you already use Splunk, you can configure the Splunk add-on for Cloud Foundry through the Splunk Marketplace.

Installing Splunk

  1. Install Docker. For more information, see Install Docker External link icon.

  2. Pull the Splunk images from Docker Hub.

     docker pull splunk/splunk

  3. Start Splunk:

       docker run -d -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p "8000:8000" -p "8088:8088" splunk/splunk

    In this example, 8000 represents the default port where the Splunk dashboard is running and 8088 is the HTTP Event Collector port that receives the logs from the nozzle.

  4. To verify that Splunk is running, open http://localhost:8000 in your browser and log in. The default user name is admin, and the default password is changeme.

Installing the Splunk add-on for Cloud Foundry

  1. Clone the latest Splunk add-on for Cloud Foundry by running the following command:

     git clone git@github.com:splunk/splunk-addon-for-cloud-foundry.git

  2. Retrieve the Docker containerId for Splunk by running the following command:

     docker ps -aqf "ancestor=splunk/splunk"

  3. Copy the Splunk\_SA\_CloudFoundry folder that you cloned to the Docker container by running the following command:

     docker cp splunk-addon-for-cloud-foundry/Splunk_SA_CloudFoundry <containerId>:/opt/splunk/etc/apps

Note: Use the <containerId> value for Splunk that you obtained in step 2.

  1. Restart the Docker container.

       docker restart <containerId>

  2. Open the Splunk dashboard at http://localhost:8000. If the add-on installed successfully, you see new icon with the title Splunk add-on for Cloud Foundry.

Configuring the Splunk HTTP event collector

Use the Splunk HTTP Event Collector to send data from HTTP to Splunk. In this case, you can send Cloud Foundry system logs.

  1. In the Splunk dashboard, Click Settings > Data inputs
  2. In the HTTP Event Collector section, click Add new.
  3. Enter a name for the data input, and click Next.
  4. In the Source type list, select Automatic.
  5. For the Index, either select an existing index, such as Default, or create a new one.
  6. Click Review and then Submit.
  7. Save the Generated Token Value.
  8. Enable the HTTP Event Collector:
    1. Click Settings > Data inputs.
    2. Click HTTP Event Collector.
    3. Click Global Settings.
    4. In the All Tokens section, click Enabled, and then Save
  9. Splunk is now ready receive logs through HTTP by using port 8088. Note: If you want to use a different port, you can specify its value in the Global Settings.

Configuring and deploying the Splunk Firehose Nozzle release application

  1. Clone the splunk-firehose-nozzle app from GitHub.

    git clone https://github.com/cloudfoundry-community/splunk-firehose-nozzle.git
cd splunk-firehose-nozzle

  2. Log in to Cloud Foundry:

    cf login -a https://api.<your cf system domain> -u <your Cloud Foundry id>

    If you have not installed the Cloud Foundry command line interface, see Command line interfaces for Cloud Foundry Enterprise Environment.

  3. Modify the nozzle_manifest file.

     vi ci/nozzle_manifest.yml
    • API_ENDPOINT: Cloud Foundry API endpoint address.
    • API_USER: Cloud Foundry user name.
    • API_PASSWORD: Cloud Foundry user's password.
    • SPLUNK_TOKEN: For more information about this parameter, see Set up and use HTTP Event Collector External link icon.
    • SPLUNK_HOST: Splunk HTTP event collector host, such as https://example.cloud.splunk.com:8088.
    • SPLUNK_INDEX: The Splunk index that events are sent to.
    • FIREHOSE_SUBSCRIPTION_ID: Tags nozzle events with a Firehose subscription ID. For more information, see Loggregator Guide for Cloud Foundry Operators External link icon. The Nozzle requires a user with the doppler.firehose scope, and, if the ADD_APP_INFO value is true, the cloud_controller.admin_read_only scope. If the cloud_controller.admin_read_only scope is not available in the system, use the cloud_controller.admin value.
  4. Push the nozzle by running the following command:
    make deploy-nozzle