Edge Delta Splunk Destination

Send items to a Splunk destination.

7 minute read

Overview

The Splunk destination node sends items to a Splunk destination. It sends raw bytes generated by marshaling items as JSON.

incoming_data_types: cluster_pattern_and_sample, edac, health, heartbeat, log, metric, custom, splunk_payload, signal

Configure Splunk

To set up a Splunk destination, you must:

Configure a HEC token in Splunk
Determine the correct HEC endpoint in Splunk, and
Import the Edge Delta dashboard into Splunk.

The process to set up a Splunk destination varies for Splunk Cloud and Splunk Enterprise users.

Step 1: Configure a HEC Token in Splunk

Option 1: Splunk Cloud To create a Splunk HTTP Event Collector (HEC) and token:

In the Splunk Web UI, navigate to Settings, then click Add Data.
Click Monitor, and then click HTTP Event Listener.
In the field, enter a name for the HEC, and then click Next.
Confirm the index information or use the default index, and then click Review.
Click Submit.
Copy the displayed token value. You can enter this information in the Token field in the Edge Delta App.

Option 2: Splunk Enterprise To ensure HTTP Event Collector (HEC) is enabled:

In the Splunk Enterprise Web UI, navigate to Settings, then click Data Inputs.
Click HTTP Event Collector.
Click Global Settings.
Enable the All Tokens toggle option.

To create a Splunk HTTP Event Collector (HEC) and token:

In the Splunk Web UI, navigate to Settings, then click Add Data.
Click Monitor, and then click HTTP Event Listener.
In the field, enter a name for the HEC, and then click Next.
Confirm the index information or use the default index, and then click Review.
Click Submit.
Copy the displayed token value. You use the token in the Edge Delta Pipeline configuration.

Step 2: Determine your HEC Endpoint

Before you continue, verify that you have the following information:

Splunk deployment type (Enterprise, Cloud, Free Trial, etc.)
Splunk hostname (from Splunk Browser URI)
Input Protocol (HTTPS is default)

Each endpoint can support either /raw or /event data. With /raw, the raw logs are sent in Edge Delta’s JSON format and Splunk parses the timestamp from the log. The sourcetype for the http endpoint should be set to Structures-> _json. With /event, Splunk’s JSON format is used with the timestamp in the JSON.

Option 1: Splunk Cloud Format (Cloud, Free Trial, Cloud on GCP)

Replace <splunk_hostname> with your organization’s hostname and choose the endpoint type: raw or event.

Splunk Cloud

URI Format: https://http-inputs-<splunk_hostname>:443/services/collector/event

Splunk Free Trial

URI Format: https://inputs.<splunk_hostname>:8088/services/collector/event

Splunk Cloud on GCP

URI Format: https://http-inputs.<splunk_hostname>:443/services/collector/event

Option 2: Splunk Enterprise

Replace <splunk_hostname> with your organization’s hostname and choose the endpoint type: raw or event.

URI Format: https://<splunk_hostname>:8088/services/collector/event

Step 3: Import the Edge Delta Dashboard to Splunk

Contact your Edge Delta Sales Engineer so that you can obtain the dashboard XML.

In Splunk, navigate to Search interface.
Click Dashboards.
Click Create New Dashboard.
Enter and configure a dashboard name, description, and permissions.
Click Classic Dashboards, and then click Create.
In the Edit Dashboard page, switch from UI to Source.
Replace the existing XML with the XML from Edge Delta.
Switch back to UI.
Click Save.

Configure Edge Delta

Finally, you configure the Edge Delta agent to forward data to the Splunk endpoint.

Example Configuration

- name: my_splunk
  type: splunk_output
  index: my_index
  endpoint: <REDACTED>
  token: <REDACTED>

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: splunk_output

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

endpoint

The endpoint parameter is the full Splunk HEC URI. It is specified as a string and is required.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>

index

The index parameter defines which index the node should flush data into. It is specified as a string and is required.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  index: <index>

token

The token parameter provides the Splunk HEC token. It is written as a string and is required.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>

Optional Parameters

features

YAML Only

The features parameter defines which data types to stream to the destination. It is specified as a string of comma-separated list of item types. The default is metric,edac,cluster. It is optional.

Feature Type	Supported?
Log	Yes
Metrics	Yes
Alert as event	Yes
Alert as log	No
Health	No
Dimensions as attribute	Yes
Send as is	No
Send as JSON	Yes
Custom tags	Yes
EDAC enrichment	No
Message template	No
outgoing_bytes.sum	Yes
outgoing__raw_bytes.sum	Yes
outgoing_lines.count	Yes (only data in raw message field)
output buffering to disk	No

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  features: <feature 1>, <feature n>

tls

The tls parameter is a dictionary type that enables a number of options to be set using sub-parameters. It is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      <tls options>:

ca_file The ca_file parameter is a child of the tls parameter. It specifies the CA certificate file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      ca_file: /certs/ca.pem

ca_path The ca_path parameter is a child of the tls parameter. It specifies the location of the CA certificate files. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      ca_path: <path>

client_auth_type The client_auth_type parameter is a child of the tls parameter. It specifies the authentication type to use for the connection. It is specified as a string from a closed list and is optional.

The following authentication methods are available:

noclientcert indicates that no client certificate should be requested during the handshake, and if any certificates are sent they will not be verified.
requestclientcert indicates that a client certificate should be requested during the handshake, but does not require that the client send any certificates.
requireanyclientcert indicates that a client certificate should be requested during the handshake, and that at least one certificate is required from the client, but that certificate is not required to be valid.
verifyclientcertifgiven indicates that a client certificate should be requested during the handshake, but does not require that the client sends a certificate. If the client does send a certificate it is required to be valid.
requireandverifyclientcert indicates that a client certificate should be requested during the handshake, and that at least one valid certificate is required to be sent by the client

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      client_auth_type: <auth type>

crt_file The crt_file parameter is a child of the tls parameter. It specifies the certificate file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      crt_file: /certs/server-cert.pem

ignore_certificate_check The ignore_certificate_check parameter is a child of tls. It specifies whether to disable the certificate check for remote endpoints. It is specified as a Boolean and the default is false. It is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
    ignore_certificate_check: true

key_file The key_file parameter is a child of the tls parameter. It specifies the key file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
    key_password: <password>
    key_file: <path to file>

key_password The key_password parameter is a child of the tls parameter. It specifies the key password. When the private key_file location is provided, this file can also be provided to get the password of the private key. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      key_password: <password>
      key_file: <path to file>

max_version The max_version parameter is a child of the tls parameter. It specifies the maximum version of TLS to accept. It is specified as a string and is optional.

You can select one of the following options:

TLSv1_0
TLSv1_1
TLSv1_2
TLSv1_3

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      max_version: <TLS version>

min_version The min_version parameter is a child of the tls parameter. It specifies the minimum version of TLS to accept. It is specified as a string and is optional. The default is TLSv1_2.

You can select one of the following options:

TLSv1_0
TLSv1_1
TLSv1_2
TLSv1_3

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      min_version: <TLS version>