To enhance your DataSync integration for Splunk Enterprise, you can optionally configure the Splunk meshlet to keep track of the data you are sending by using index numbers in case of data loss. The HTTP Event Collector in the Splunk server supports indexer acknowledgement, a feature that will index each data that are sent.
Prerequisites
First, you will need to contact Perspectium Support to get you started with Splunk meshlet.
Procedure
To get started with using indexer acknowledgment, complete the following procedures:
Enable indexer acknowledgement
Access your Splunk Enterprise and go to Settings > Data Input and click into HTTP Event Collector. Check the Enable indexer acknowledgement box.
Edit meshlet configuration file
Configure your splunk connection by editing the meshlet configuration file. ackUrl will be your splunk URL. requestChannel will be the token value in splunk.
splunk: ackUrl: http://splunk-url/services/collector/ack requestChannel: a7175f62-d67b-4793-a172-c1b946c0e444
Run splunk meshlet
Access your splunk meshlet application by going to the meshlet folder and run the create-service application as an Administrator.
If running the splunk meshlet is successful, you will get a response like below:
Response: {"text":"Success","code":0,"ackId":0}
Response: {"acks":{"0":true}}
