Edge Delta Splunk Output

Send items to a Splunk destination.

  7 minute read  

Overview

The Splunk output sends items to a Splunk destination. It sends raw bytes generated by marshaling items as JSON.

Configure Splunk

To set up a Splunk output, you must:

  • Configure an HEC token in Splunk
  • Determine the correct HEC endpoint in Splunk, and
  • Import the Edge Delta dashboard into Splunk.

The process to set up a Splunk output varies for Splunk Cloud and Splunk Enterprise users.

Step 1: Configure an HEC Token in Splunk

Option 1: Splunk Cloud To create a Splunk HTTP Event Collector (HEC) and token:

  1. In the Splunk Web UI, navigate to Settings, then click Add Data.
  2. Click Monitor, and then click HTTP Event Listener.
  3. In the field, enter a name for the HEC, and then click Next.
  4. Confirm the index information or use the default index, and then click Review.
  5. Click Submit.
  6. Copy the displayed token value. You can enter this information in the Token field in the Edge Delta App.

Option 2: Splunk Enterprise To ensure HTTP Event Collector (HEC) is enabled:

  1. In the Splunk Enterprise Web UI, navigate to Settings, then click Data Inputs.
  2. Click HTTP Event Collector.
  3. Click Global Settings.
  4. Enable the All Tokens toggle option.

To create a Splunk HTTP Event Collector (HEC) and token:

  1. In the Splunk Web UI, navigate to Settings, then click Add Data.
  2. Click Monitor, and then click HTTP Event Listener.
  3. In the field, enter a name for the HEC, and then click Next.
  4. Confirm the index information or use the default index, and then click Review.
  5. Click Submit.
  6. Copy the displayed token value. You use the token in the Edge Delta agent configuration.

Step 2: Determine your HEC Endpoint

Before you continue, verify that you have the following information:

  • Splunk deployment type (Enterprise, Cloud, Free Trial, etc.)
  • Splunk hostname (from Splunk Browser URI)
  • Input Protocol (HTTPS is default)

Each endpoint can support either /raw or /event data. With /raw, the raw logs are sent in Edge Delta’s JSON format and Splunk parses the timestamp from the log. The sourcetype for the http endpoint should be set to Structures-> _json. With /event, Splunk’s JSON format is used with the timestamp in the JSON.

Option 1: Splunk Cloud Format (Cloud, Free Trial, Cloud on GCP)

Replace <splunk_hostname> with your organization’s hostname and choose the endpoint type: raw or event.

Splunk Cloud

URI Format: https://http-inputs-<splunk_hostname>:443/services/collector/event

Splunk Free Trial

URI Format: https://inputs.<splunk_hostname>:8088/services/collector/event

Splunk Cloud on GCP

URI Format: https://http-inputs.<splunk_hostname>:443/services/collector/event

Option 2: Splunk Enterprise

Replace <splunk_hostname> with your organization’s hostname and choose the endpoint type: raw or event.

URI Format: https://<splunk_hostname>:8088/services/collector/event

Step 3: Import the Edge Delta Dashboard to Splunk

Contact your Edge Delta Sales Engineer so that you can obtain the dashboard XML.

  1. In Splunk, navigate to Search interface.
  2. Click Dashboards.
  3. Click Create New Dashboard.
  4. Enter and configure a dashboard name, description, and permissions.
  5. Click Classic Dashboards, and then click Create.
  6. In the Edit Dashboard page, switch from UI to Source.
  7. Replace the existing XML with the XML from Edge Delta.
  8. Switch back to UI.
  9. Click Save.

Configure Edge Delta

Finally, you configure the Edge Delta agent to forward data to the Splunk endpoint.

Example Configuration

- name: my_splunk
  type: splunk_output
  features: log
  endpoint: <REDACTED>
  token: <REDACTED>

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the yaml using the name. It must be unique across all nodes. It is a yaml list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: splunk_output

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

endpoint

The endpoint parameter is the full Splunk HEC URI. It is specified as a string and is required.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>

token

The token parameter provides the Splunk HEC token. It is written as a string and is required.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>

Optional Parameters

features

The features parameter defines which data types to stream to the destination. It is specified as a string of comma-separated list of item types. The default is metric,edac,cluster. It is optional.

Feature Type Supported?
Log Yes
Metrics Yes
Alert as event Yes
Alert as log No
Health No
Dimensions as attribute Yes
Send as is No
Send as JSON Yes
Custom tags Yes
EDAC enrichment No
Message template No
outgoing_bytes.sum Yes
outgoing__raw_bytes.sum Yes
outgoing_lines.count Yes (only data in raw message field)
output buffering to disk No 
- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  features: <feature 1>, <feature n>

index

The index parameter defines which index the node should flush data into. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  index: <index>

tls

The tls parameter is a dictionary type that enables a number of options to be set using sub-parameters. It is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      <tls options>:

ca_file

The ca_file parameter is a child of the tls parameter. It specifies the CA certificate file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      ca_file: /certs/ca.pem

ca_path

The ca_path parameter is a child of the tls parameter. It specifies the location of the CA certificate files. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      ca_path: <path>

client_auth_type

The client_auth_type parameter is a child of the tls parameter. It specifies the authentication type to use for the connection. It is specified as a string from a closed list and is optional.

The following authentication methods are available:

  • noclientcert indicates that no client certificate should be requested during the handshake, and if any certificates are sent they will not be verified.
  • requestclientcert indicates that a client certificate should be requested during the handshake, but does not require that the client send any certificates.
  • requireanyclientcert indicates that a client certificate should be requested during the handshake, and that at least one certificate is required from the client, but that certificate is not required to be valid.
  • verifyclientcertifgiven indicates that a client certificate should be requested during the handshake, but does not require that the client sends a certificate. If the client does send a certificate it is required to be valid.
  • requireandverifyclientcert indicates that a client certificate should be requested during the handshake, and that at least one valid certificate is required to be sent by the client
- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      client_auth_type: <auth type>

crt_file

The crt_file parameter is a child of the tls parameter. It specifies the certificate file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      crt_file: /certs/server-cert.pem

disable_verify

The disable_verify parameter is a child of tls. It specifies whether to disable the certificate check for remote endpoints. It is specified as a Boolean and the default is false. It is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      disable_verify: true

key_file

The key_file parameter is a child of the tls parameter. It specifies the key file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
    key_password: <password>
    key_file: <path to file>

key_password

The key_password parameter is a child of the tls parameter. It specifies the key password. When the private key_file location is provided, this file can also be provided to get the password of the private key. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      key_password: <password>
      key_file: <path to file>

max_version

The max_version parameter is a child of the tls parameter. It specifies the the maximum version of TLS to accept. It is specified as a string and is optional.

You can select one of the following options:

  • TLSv1_0
  • TLSv1_1
  • TLSv1_2
  • TLSv1_3
- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      max_version: <TLS version>

min_version

The min_version parameter is a child of the tls parameter. It specifies the the minimum version of TLS to accept. It is specified as a string and is optional. The default is TLSv1_2.

You can select one of the following options:

  • TLSv1_0
  • TLSv1_1
  • TLSv1_2
  • TLSv1_3
- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      min_version: <TLS version>