From e9ba66580379bc0843088b012d6a074996deeb88 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 3 Nov 2025 13:26:30 -0800 Subject: [PATCH 1/6] Add Data from Splunk feature deprecation notice --- .../get-started/other-tutorials/add-data-from-splunk.md | 4 ++-- .../security/get-started/ingest-data-to-elastic-security.md | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md b/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md index 6d5ff04b8b..190224b704 100644 --- a/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md +++ b/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md @@ -2,7 +2,7 @@ mapped_pages: - https://www.elastic.co/guide/en/observability/current/splunk-get-started.html applies_to: - stack: preview + stack: deprecated 9.0 products: - id: observability --- @@ -10,7 +10,7 @@ products: # Add data from Splunk [splunk-get-started] ::::{warning} -This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. +This functionality was deprecated in {{stack}} v9.0 and is no longer supported. :::: diff --git a/solutions/security/get-started/ingest-data-to-elastic-security.md b/solutions/security/get-started/ingest-data-to-elastic-security.md index 7a88532172..3d6f9f668c 100644 --- a/solutions/security/get-started/ingest-data-to-elastic-security.md +++ b/solutions/security/get-started/ingest-data-to-elastic-security.md @@ -19,7 +19,6 @@ To ingest data, you can use: * The {{agent}} with integrations, which are available in the [Elastic Package Registry (EPR)](/reference/fleet/index.md#package-registry-intro). To install an integration that works with {{elastic-sec}}, go to the {{kib}} Home page or navigation menu and click **Add integrations**. On the Integrations page, click the **Security** category filter, then select an integration to view the installation instructions. For more information on integrations, refer to [{{integrations}}](https://docs.elastic.co/en/integrations). * **{{beats}}** shippers installed for each system you want to monitor. * **{{ls}}**, which dynamically ingests, transforms, and ships your data regardless of format. -* The {{agent}} to send data from Splunk to {{elastic-sec}}. Refer to [Get started with data from Splunk](/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md). * Third-party collectors configured to ship ECS-compliant data. [](/reference/security/fields-and-object-schemas/siem-field-reference.md) provides a list of ECS fields used in {{elastic-sec}}. ::::{important} From 49bafeda92e52ff6fe8afa917f05440a73bdd88c Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 3 Nov 2025 13:32:22 -0800 Subject: [PATCH 2/6] removes old links --- solutions/observability/get-started/other-tutorials/index.md | 1 - solutions/observability/get-started/quickstarts.md | 1 - 2 files changed, 2 deletions(-) diff --git a/solutions/observability/get-started/other-tutorials/index.md b/solutions/observability/get-started/other-tutorials/index.md index b770f7622b..9d6d8b1288 100644 --- a/solutions/observability/get-started/other-tutorials/index.md +++ b/solutions/observability/get-started/other-tutorials/index.md @@ -13,6 +13,5 @@ products: The following tutorials explore various use cases and {{observability}} scenarios. - [Tutorial: Monitor a Java application](/solutions/observability/get-started/other-tutorials/tutorial-monitor-java-application.md) -- [Tutorial: Add data from Splunk](/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md) To get started with {{observability}}, refer to [Get started with Elastic {{observability}}](/solutions/observability/get-started.md). \ No newline at end of file diff --git a/solutions/observability/get-started/quickstarts.md b/solutions/observability/get-started/quickstarts.md index 91ab4d9c71..f303a327c0 100644 --- a/solutions/observability/get-started/quickstarts.md +++ b/solutions/observability/get-started/quickstarts.md @@ -38,7 +38,6 @@ Want to use {{fleet}} or some other feature not covered in the quickstarts? Foll Ready to dig into more features of Elastic Observability? See these guides: -* [Add data from Splunk](/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md). * [Create an alert](/solutions/observability/incident-management/alerting.md). * [Create a service-level objective (SLO)](/solutions/observability/incident-management/create-an-slo.md). From 6f2e0d18c577194f085450ccae4fc0b6f387bbc7 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 3 Nov 2025 13:55:37 -0800 Subject: [PATCH 3/6] removes old page and fixes folder structure --- redirects.yml | 6 +- .../other-tutorials/add-data-from-splunk.md | 103 ------------------ .../get-started/other-tutorials/index.md | 17 --- .../tutorial-monitor-java-application.md | 0 solutions/toc.yml | 5 +- 5 files changed, 5 insertions(+), 126 deletions(-) delete mode 100644 solutions/observability/get-started/other-tutorials/add-data-from-splunk.md delete mode 100644 solutions/observability/get-started/other-tutorials/index.md rename solutions/observability/get-started/{other-tutorials => }/tutorial-monitor-java-application.md (100%) diff --git a/redirects.yml b/redirects.yml index 432357bc47..f76ef3445d 100644 --- a/redirects.yml +++ b/redirects.yml @@ -585,5 +585,7 @@ redirects: # Related to https://github.com/elastic/docs-content/pull/3685 'deploy-manage/monitor/autoops/cc-cloud-connect-autoops-faq.md': 'deploy-manage/monitor/autoops/ec-autoops-faq.md' - - +# Related to https://github.com/elastic/docs-content/pull/3791 + 'solutions/observability/get-started/other-tutorials/index.md': 'solutions/observability/get-started/tutorial-monitor-java-application.md' + 'solutions/observability/get-started/other-tutorials/tutorial-monitor-java-application.md': 'solutions/observability/get-started/tutorial-monitor-java-application.md' + 'solutions/observability/get-started/other-tutorials/add-data-from-splunk.md': 'solutions/observability/get-started.md' \ No newline at end of file diff --git a/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md b/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md deleted file mode 100644 index 190224b704..0000000000 --- a/solutions/observability/get-started/other-tutorials/add-data-from-splunk.md +++ /dev/null @@ -1,103 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/observability/current/splunk-get-started.html -applies_to: - stack: deprecated 9.0 -products: - - id: observability ---- - -# Add data from Splunk [splunk-get-started] - -::::{warning} -This functionality was deprecated in {{stack}} v9.0 and is no longer supported. -:::: - - -Apache, AWS CloudTrail, Nginx, and Zeek integrations offer the ability to seamlessly ingest data from a Splunk Enterprise instance. Data will be automatically mapped to the Elastic Common Schema, making it available for rapid analysis in Elastic solutions, including Security and {{observability}}. - -These integrations work by using the `httpjson` input in {{agent}} to run a Splunk search via the Splunk REST API and then extract the raw event from the results. The raw event is then processed via the {{agent}}. The Splunk search is customizable and the interval between searches is customizable. These integrations only get new data since the last query, not historical data. - -:::{image} /solutions/images/observability-elastic-agent-splunk.png -:alt: Splunk integration components -:screenshot: -::: - -To ingest Nginx data from Splunk, perform the following steps. The options are the same for Apache, AWS CloudTrail, and Zeek. - - -## Prerequisites [splunk-prereqs] - -To follow the steps in this guide, you need an {{stack}} deployment that includes: - -* {{es}} for storing and searching data -* {{kib}} for visualizing and managing data -* Kibana user with `All` privileges on {{fleet}} and Integrations. Since many Integrations assets are shared across spaces, users need the Kibana privileges in all spaces. -* Integrations Server (included by default in every {{ech}} deployment) - -To get started quickly, create an {{ech}} deployment and host it on AWS, GCP, or Azure. [Try it out for free](https://cloud.elastic.co/registration?page=docs&placement=docs-body). - - -## Step 1: Add integration [splunk-step-one] - -Find **Integrations** in the main menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Search for and add the nginx integration. Refer to [Get started with system metrics](../../infra-and-hosts/get-started-with-system-metrics.md) for detailed steps about adding integrations. - - -## Step 2: Enable Collect logs from third-party REST API [splunk-step-two] - -Enable "Collect logs from third-party REST API" and disable both "Collect logs from Nginx instances" and "Collect metrics from Nginx instances". - -:::{image} /solutions/images/observability-kibana-fleet-third-party-rest-api.png -:alt: {{fleet}} showing enabling third-party REST API -:screenshot: -::: - - -## Step 3: Enter connection information [splunk-step-three] - -Enter the required information to connect to the Splunk Enterprise REST API. - -The URL of the Splunk Enterprise Server must include the scheme (`http` or `https`), the IP address or hostname of the Splunk Enterprise Server, and the port the REST API is listening on. - -The Splunk username and password must be of a user with a role or capability to use REST API endpoints. Administrative users have these permissions by default. - -SSL Configuration is available under the "Advanced options". These may be necessary if Splunk Enterprise server uses self-signed certificates. See [SSL Options](beats://reference/filebeat/configuration-ssl.md) for valid configuration options. - -:::{image} /solutions/images/observability-kibana-fleet-third-party-rest-settings.png -:alt: {{fleet}} showing enabling third-party REST API settings -:screenshot: -::: - - -## Step 4: Enter information to select data from Splunk [splunk-step-four] - -For each type of log file, enter the interval and Splunk search string. - -The interval is expressed as a [Go duration](https://golang.org/pkg/time/#ParseDuration). The interval is the time between requests sent to the Splunk Enterprise REST API to request new information. Intervals less than one second are not recommended; Splunk only maintains second accuracy for index time. The interval should closely match the rate at which data arrives at the Splunk Enterprise Server. For example, an interval of "5s" for data that only arrives at the Splunk Enterprise Server every hour will generate unnecessary load on the Splunk Enterprise Server. - -The search string is the Splunk search used to uniquely describe the events that match the type of log file you are trying to configure. For example, to uniquely describe Nginx access logs `search sourcetype=nginx:plus:access` might be used. Note, the search string must begin with "search" for details refer to the Splunk REST API manual and the "search/jobs/export" endpoint. - -Be aware that each time the {{agent}} connects to the Splunk Enterprise REST API a Splunk search is performed. Because of this you want to be sure your search string is as specific as possible, since this reduces the load on the Splunk Enterprise Server. - -Tags may be added in the "Advanced options". For example, if you’d like to tag events coming from Splunk with a *Splunk* tag, you can add it here. By default, the forward tag is present to indicate that events are being forwarded via an intermediary, i.e. Splunk. - -:::{image} /solutions/images/observability-kibana-fleet-third-party-rest-dataset-settings.png -:alt: {{fleet}} showing enabling third-party REST API settings -:screenshot: -::: - - -## Step 5: Save Integration [splunk-step-five] - -Click Save Integration - -Data and Dashboards will be available just as if you had collected the data on the Nginx host using log files. - - -### Considerations and questions [splunk-considerations] - -The time on the host running the agent and the Splunk Enterprise Server should be synchronized to the same time source, with correct timezone information. Failure to do this could result in delays in transferring data or gaps in the data received. - -**Does the Splunk data need to be in a specific format or mapped to Splunk’s Common Information Model?** No, because these integrations take the raw event from Splunk and process that. There is no dependency on any Splunk processing. - -**Are events mapped to Elastic Common Schema (ECS)?** Yes, events from these integrations go through the exact same processing as if {{agent}} had gotten the event from the original source. So the same level of mapping to ECS occurs. diff --git a/solutions/observability/get-started/other-tutorials/index.md b/solutions/observability/get-started/other-tutorials/index.md deleted file mode 100644 index 9d6d8b1288..0000000000 --- a/solutions/observability/get-started/other-tutorials/index.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -navigation_title: Other Observability tutorials -applies_to: - stack: ga - serverless: ga -products: - - id: cloud-serverless - - id: observability ---- - -# {{observability}} tutorials - -The following tutorials explore various use cases and {{observability}} scenarios. - -- [Tutorial: Monitor a Java application](/solutions/observability/get-started/other-tutorials/tutorial-monitor-java-application.md) - -To get started with {{observability}}, refer to [Get started with Elastic {{observability}}](/solutions/observability/get-started.md). \ No newline at end of file diff --git a/solutions/observability/get-started/other-tutorials/tutorial-monitor-java-application.md b/solutions/observability/get-started/tutorial-monitor-java-application.md similarity index 100% rename from solutions/observability/get-started/other-tutorials/tutorial-monitor-java-application.md rename to solutions/observability/get-started/tutorial-monitor-java-application.md diff --git a/solutions/toc.yml b/solutions/toc.yml index da344a87e2..585e6fc2fc 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -143,10 +143,7 @@ toc: - file: observability/get-started/opentelemetry/use-cases/kubernetes/upgrade.md - file: observability/get-started/opentelemetry/use-cases/kubernetes/customization.md - folder: observability/get-started/opentelemetry/use-cases/llms - - file: observability/get-started/other-tutorials/index.md - children: - - file: observability/get-started/other-tutorials/tutorial-monitor-java-application.md - - file: observability/get-started/other-tutorials/add-data-from-splunk.md + - file: observability/get-started/other-tutorials/tutorial-monitor-java-application.md - file: observability/get-started/logs-essentials.md - file: observability/applications/index.md children: From 09d4852345f66fb181e331d4bf7a1dba376bafc3 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 3 Nov 2025 13:58:57 -0800 Subject: [PATCH 4/6] fixes broken ref --- solutions/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/toc.yml b/solutions/toc.yml index 585e6fc2fc..74085593b8 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -143,7 +143,7 @@ toc: - file: observability/get-started/opentelemetry/use-cases/kubernetes/upgrade.md - file: observability/get-started/opentelemetry/use-cases/kubernetes/customization.md - folder: observability/get-started/opentelemetry/use-cases/llms - - file: observability/get-started/other-tutorials/tutorial-monitor-java-application.md + - file: observability/get-started/tutorial-monitor-java-application.md - file: observability/get-started/logs-essentials.md - file: observability/applications/index.md children: From 4827f3282bfbe95f6a48227310d34cf3c4db9be8 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 3 Nov 2025 14:11:54 -0800 Subject: [PATCH 5/6] fixes broken redirects --- redirects.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/redirects.yml b/redirects.yml index f76ef3445d..82cd033a81 100644 --- a/redirects.yml +++ b/redirects.yml @@ -186,7 +186,7 @@ redirects: 'solutions/observability/apps/analyze-monitors.md': 'solutions/observability/uptime/analyze-monitors.md' 'solutions/observability/apps/inspect-uptime-duration-anomalies.md': 'solutions/observability/uptime/inspect-duration-anomalies.md' 'solutions/observability/apps/configure-settings.md': 'solutions/observability/uptime/configure-settings.md' - 'solutions/observability/apps/tutorial-monitor-java-application.md': 'solutions/observability/get-started/other-tutorials/tutorial-monitor-java-application.md' + 'solutions/observability/apps/tutorial-monitor-java-application.md': 'solutions/observability/get-started/tutorial-monitor-java-application.md' # we can't redirect to the search-ui book so this is the next best option 'reference/search/index.md': 'reference/index.md' @@ -206,7 +206,7 @@ redirects: 'troubleshoot/elasticsearch/elasticsearch-client-net-api/logging.md': 'troubleshoot/elasticsearch/clients.md' 'troubleshoot/elasticsearch/elasticsearch-client-net-api/net.md': 'troubleshoot/elasticsearch/clients.md' 'troubleshoot/elasticsearch/elasticsearch-client-ruby-api/ruby.md': 'troubleshoot/elasticsearch/clients.md' - 'solutions/observability/get-started/add-data-from-splunk.md': 'solutions/observability/get-started/other-tutorials/add-data-from-splunk.md' + 'solutions/observability/get-started/add-data-from-splunk.md': 'solutions/observability/get-started.md' 'solutions/observability/get-started/create-an-observability-project.md': 'solutions/observability/get-started.md' 'solutions/observability/get-started/get-started-with-dashboards.md': 'solutions/observability/get-started.md' # Related to https://github.com/elastic/docs-content/pull/1329 From f8a12a5d9d5d6fe5dacd9af901eb25a686df88a8 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 3 Nov 2025 14:25:43 -0800 Subject: [PATCH 6/6] fixes broken link --- .../get-started/tutorial-monitor-java-application.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/observability/get-started/tutorial-monitor-java-application.md b/solutions/observability/get-started/tutorial-monitor-java-application.md index 64a43b64af..ab12ba0f4d 100644 --- a/solutions/observability/get-started/tutorial-monitor-java-application.md +++ b/solutions/observability/get-started/tutorial-monitor-java-application.md @@ -1912,5 +1912,5 @@ Do not underestimate the importance of this kind of monitoring. Also, consider t ## What’s next? [_whats_next] -For more information about using Elastic {{observability}}, see the [{{observability}} documentation](../what-is-elastic-observability.md). +For more information about using Elastic {{observability}}, refer to [](/solutions/observability/get-started/what-is-elastic-observability.md).