Edge Delta Splunk Destination
5 minute read
Overview
The Splunk destination node sends items to a Splunk destination. It sends raw bytes generated by marshaling items as JSON.
- incoming_data_types: cluster_pattern_and_sample, edac, health, heartbeat, log, metric, custom, splunk_payload, signal
Configure Splunk
See Send Data to Splunk.
Configure Edge Delta
Next, you configure the Edge Delta agent to forward data to the Splunk endpoint.
Example Configuration
- name: my_splunk
type: splunk_output
index: my_index
endpoint: <REDACTED>
token: <REDACTED>
Required Parameters
name
A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.
nodes:
- name: <node name>
type: <node type>
type: splunk_output
The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.
nodes:
- name: <node name>
type: <node type>
endpoint
The endpoint parameter is the full Splunk HEC URI. It is specified as a string and is required.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
index
The index parameter defines which index the node should flush data into. It is specified as a string and is required.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
index: <index>
token
The token parameter provides the Splunk HEC token. It is written as a string and is required.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
Optional Parameters
features
The features parameter defines which data types to stream to the destination. It is specified as a string of comma-separated list of item types. The default is metric,edac,cluster. It is optional.
| Feature Type | Supported? |
|---|---|
| Log | Yes |
| Metrics | Yes |
| Alert as event | Yes |
| Alert as log | No |
| Health | No |
| Dimensions as attribute | Yes |
| Send as is | No |
| Send as JSON | Yes |
| Custom tags | Yes |
| EDAC enrichment | No |
| Message template | No |
| ed.pipeline.write_bytes | Yes |
| outgoing__raw_bytes.sum | Yes |
| ed.pipeline.write_items | Yes (only data in raw message field) |
| output buffering to disk | No |
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
features: <feature 1>, <feature n>
tls
The tls parameter is a dictionary type that enables a number of options to be set using sub-parameters. It is optional.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
<tls options>:
ca_file
The ca_file parameter is a child of the tls parameter. It specifies the CA certificate file. It is specified as a string and is optional.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
ca_file: /certs/ca.pem
ca_path
The ca_path parameter is a child of the tls parameter. It specifies the location of the CA certificate files. It is specified as a string and is optional.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
ca_path: <path>
client_auth_type
The client_auth_type parameter is a child of the tls parameter. It specifies the authentication type to use for the connection. It is specified as a string from a closed list and is optional.
The following authentication methods are available:
- noclientcert indicates that no client certificate should be requested during the handshake, and if any certificates are sent they will not be verified.
- requestclientcert indicates that a client certificate should be requested during the handshake, but does not require that the client send any certificates.
- requireanyclientcert indicates that a client certificate should be requested during the handshake, and that at least one certificate is required from the client, but that certificate is not required to be valid.
- verifyclientcertifgiven indicates that a client certificate should be requested during the handshake, but does not require that the client sends a certificate. If the client does send a certificate it is required to be valid.
- requireandverifyclientcert indicates that a client certificate should be requested during the handshake, and that at least one valid certificate is required to be sent by the client
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
client_auth_type: <auth type>
crt_file
The crt_file parameter is a child of the tls parameter. It specifies the certificate file. It is specified as a string and is optional.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
crt_file: /certs/server-cert.pem
ignore_certificate_check
The ignore_certificate_check parameter is a child of tls. It specifies whether to disable the certificate check for remote endpoints. It is specified as a Boolean and the default is false. It is optional.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
ignore_certificate_check: true
key_file
The key_file parameter is a child of the tls parameter. It specifies the key file. It is specified as a string and is optional.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
key_password: <password>
key_file: <path to file>
key_password
The key_password parameter is a child of the tls parameter. It specifies the key password. When the private key_file location is provided, this file can also be provided to get the password of the private key. It is specified as a string and is optional.
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
key_password: <password>
key_file: <path to file>
max_version
The max_version parameter is a child of the tls parameter. It specifies the maximum version of TLS to accept. It is specified as a string and is optional.
You can select one of the following options:
TLSv1_0TLSv1_1TLSv1_2TLSv1_3
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
max_version: <TLS version>
min_version
The min_version parameter is a child of the tls parameter. It specifies the minimum version of TLS to accept. It is specified as a string and is optional. The default is TLSv1_2.
You can select one of the following options:
TLSv1_0TLSv1_1TLSv1_2TLSv1_3
- name: my_splunk
type: splunk_output
endpoint: <REDACTED>
token: <REDACTED>
tls:
min_version: <TLS version>