Splunk
Send logs to Splunk HTTP Event Collector
Splunk output plugin allows to ingest your records into a Splunk Enterprise service through the HTTP Event Collector (HEC) interface.
To get more details about how to setup the HEC in Splunk please refer to the following documentation: Splunk / Use the HTTP Event Collector
Configuration Parameters
Connectivity, transport and authentication configuration properties:
Content and Splunk metadata (fields) handling configuration properties:
TLS / SSL
Splunk output plugin supports TTL/SSL, for more details about the properties available and general configuration, please refer to the TLS/SSL section.
Getting Started
In order to insert records into a Splunk service, you can run the plugin from the command line or through the configuration file:
Command Line
The splunk plugin, can read the parameters from the command line in two ways, through the -p argument (property), e.g:
Configuration File
In your main configuration file append the following Input & Output sections:
Data format
By default, the Splunk output plugin nests the record under the event
key in the payload sent to the HEC. It will also append the time of the record to a top level time
key.
If you would like to customize any of the Splunk event metadata, such as the host or target index, you can set Splunk_Send_Raw On
in the plugin configuration, and add the metadata as keys/values in the record. Note: with Splunk_Send_Raw
enabled, you are responsible for creating and populating the event
section of the payload.
For example, to add a custom index and hostname:
This will create a payload that looks like:
For more information on the Splunk HEC payload format and all event meatadata Splunk accepts, see here: http://docs.splunk.com/Documentation/Splunk/latest/Data/AboutHEC
Sending Raw Events
If the option splunk_send_raw
has been enabled, the user must take care to put all log details in the event field, and only specify fields known to Splunk in the top level event, if there is a mismatch, Splunk will return a HTTP error 400.
Consider the following example:
splunk_send_raw off
splunk_send_raw on
For up to date information about the valid keys in the top level object, refer to the Splunk documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Data/AboutHEC
Splunk Metric Index
With Splunk version 8.0> you can also use the Calyptia Fluent Bit Splunk output plugin to send data to metric indices. This allows you to perform visualizations, metric queries, and analysis with other metrics you may be collecting. This is based off of Splunk 8.0 support of multi metric support via single JSON payload, more details can be found on Splunk's documentation page
Sending to a Splunk Metric index requires the use of Splunk_send_raw
option being enabled and formatting the message properly. This includes three specific operations
Nest metric events under a "fields" property
Add
metric_name:
to all metricsAdd index, source, sourcetype as fields in the message
Example Configuration
The following configuration gathers CPU metrics, nests the appropriate field, adds the required identifiers and then sends to Splunk.
Send Metrics Events of Calyptia Fluent Bit
With Calyptia Fluent Bit 2.0, you can also send Calyptia Fluent Bit's metrics type of events into Splunk via Splunk HEC. This allows you to perform visualizations, metric queries, and analysis with directly sent Calyptia Fluent Bit's metrics type of events. This is based off Splunk 8.0 support of multi metric support via single concatenated JSON payload.
Sending Calyptia Fluent Bit's metrics into Splunk requires the use of collecting Calyptia Fluent Bit's metrics plugins. Note that whether events type of logs or metrics can be distinguished automatically. You don't need to pay attentions about the type of events. This example includes two specific operations
Collect node or Calyptia Fluent Bit's internal metrics
Send metrics as single concatenated JSON payload
Last updated