Edge Delta Splunk Output

Stream data to Splunk.

  6 minute read  

Configuration v2

See the latest version here.

Overview

The Splunk output streams analytics and insights to a Splunk HEC endpoint.

Configure Splunk

To set up a Splunk output, you must:

  • Configure an HEC token in Splunk
  • Determine the correct HEC endpoint in Splunk, and
  • Import the Edge Delta dashboard into Splunk.

The process to set up a Splunk output varies for Splunk Cloud and Splunk Enterprise users.

Step 1: Configure an HEC Token in Splunk

Option 1: Splunk Cloud

To create a Splunk HTTP Event Collector (HEC) and token:

  1. In the Splunk Web UI, navigate to Settings, then click Add Data.
  2. Click Monitor, and then click HTTP Event Listener.
  3. In the field, enter a name for the HEC, and then click Next.
  4. Confirm the index information or use the default index, and then click Review.
  5. Click Submit.
  6. Copy the displayed token value. You can enter this information in the Token field in the Edge Delta App.

Option 2: Splunk Enterprise

To ensure HTTP Event Collector (HEC) is enabled:

  1. In the Splunk Enterprise Web UI, navigate to Settings, then click Data Inputs.
  2. Click HTTP Event Collector.
  3. Click Global Settings.
  4. Enable the All Tokens toggle option.

To create a Splunk HTTP Event Collector (HEC) and token:

  1. In the Splunk Web UI, navigate to Settings, then click Add Data.
  2. Click Monitor, and then click HTTP Event Listener.
  3. In the field, enter a name for the HEC, and then click Next.
  4. Confirm the index information or use the default index, and then click Review.
  5. Click Submit.
  6. Copy the displayed token value. You use the token in the Edge Delta agent configuration.

Step 2: Determine your HEC Endpoint

Before you continue, verify that you have the following information:

  • Splunk deployment type (Enterprise, Cloud, Free Trial, etc.)
  • Splunk hostname (from Splunk Browser URI)
  • Input Protocol (HTTPS is default)

Each endpoint can support either /raw or /event data. With /raw, the raw logs are sent in Edge Delta’s JSON format and Splunk parses the timestamp from the log. The sourcetype for the http endpoint should be set to Structures-> _json. With /event, Splunk’s JSON format is used with the timestamp in the JSON.

Option 1: Splunk Cloud Format (Cloud, Free Trial, Cloud on GCP)

Replace <splunk_hostname> with your organization’s hostname and choose the endpoint type: raw or event.

Splunk Cloud

URI Format: https://http-inputs-<splunk_hostname>:443/services/collector/event

Splunk Free Trial

URI Format: https://inputs.<splunk_hostname>:8088/services/collector/event

Splunk Cloud on GCP

URI Format: https://http-inputs.<splunk_hostname>:443/services/collector/event

Option 2: Splunk Enterprise

Replace <splunk_hostname> with your organization’s hostname and choose the endpoint type: raw or event.

URI Format: https://<splunk_hostname>:8088/services/collector/event

Step 3: Import the Edge Delta Dashboard to Splunk

Contact your Edge Delta Sales Engineer so that you can obtain the dashboard XML.

  1. In Splunk, navigate to Search interface.
  2. Click Dashboards.
  3. Click Create New Dashboard.
  4. Enter and configure a dashboard name, description, and permissions.
  5. Click Classic Dashboards, and then click Create.
  6. In the Edit Dashboard page, switch from UI to Source.
  7. Replace the existing XML with the XML from Edge Delta.
  8. Switch back to UI.
  9. Click Save.

Configure Edge Delta

Finally, you configure the Edge Delta agent to forward data to the Splunk endpoint.

Sample Configuration

The following sample configuration displays an output without the name of the organization-level integration:

      name: my-splunk
      type: splunk
      endpoint: "<protocol>://<host>:<port>/<endpoint>"
      token: "32-character GUID token"
      custom_tags:
        "app": "test"
        "region": "us-west-2"
        "File Path": "{{.FileGlobPath}}"
        "K8s PodName": "{{.K8sPodName}}"
        "K8s Namespace": "{{.K8sNamespace}}"
        "K8s ControllerKind": "{{.K8sControllerKind}}"
        "K8s ContainerName": "{{.K8sContainerName}}"
        "K8s ContainerImage": "{{.K8sContainerImage}}"
        "K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
        "ECSCluster": "{{.ECSCluster}}"
        "ECSContainerName": "{{.ECSContainerName}}"
        "ECSTaskVersion": "{{.ECSTaskVersion}}"
        "ECSTaskFamily": "{{.ECSTaskFamily}}"
        "DockerContainerName": "{{.DockerContainerName}}"
        "ConfigID": "{{.ConfigID}}"
        "Host": "{{.Host}}"
        "Source": "{{.Source}}"
        "SourceType": "{{.SourceType}}"
        "Tag": "{{.Tag}}"

The following sample configuration displays if there are multiple instances of the same destination that need to route different data types to different Splunk indexes:

- name: edac-splunk-dest
  integration_name: orgs-splunk
  features: edac
  index: edac-index
- integration_name: orgs-splunk
  name: metric-splunk-dest
  features: metric
  index: metric-index

Parameters

Review the following parameters that you can configure in the Edge Delta App.

name

Required

Enter a descriptive name for the output or integration.

For outputs, this name will be used to map this destination to a workflow.

name: my-splunk

integration_name

Optional

This parameter refers to the organization-level integration created in the Integrations page.

If you need to add multiple instances of the same integration into the config, then you can add a custom name to each instance via the name parameter. In this situation, the name should be used to refer to the specific instance of the destination in the workflows.

integration_name: orgs-splunk

type: splunk

Required

Enter splunk.

type: splunk

endpoint

Required

Enter the full Splunk HEC URI. Each endpoint can support either /raw or /event data. With /raw, the raw logs are sent in Edge Delta’s JSON format and Splunk parses the timestamp from the log. The sourcetype for the http endpoint should be set to Structures-> _json. With /event, Splunk’s JSON format is used with the timestamp in the JSON.

This parameter supports 2 types of endpoints:

  • Use “services/collector/event” to send reduced data in Splunk’s predefined JSON format with the timestamp in the JSON. ```yamlendpoint: …./services/collector/event

  • Use “services/collector/raw” to send all data in Edge Delta’s JSON format and Splunk parses the timestamp from the log. ```yamlendpoint: …./services/collector/raw

endpoint: "<protocol>://<host>:<port>/<endpoint>"

token

Required

Enter the Splunk HEC token for this integration.

token: "32-character GUID token"

index

Optional

Enter the Splunk index for this integration.

index: metric-index

features

Optional

This parameter defines which data types to stream to the destination. If you do not provide a value, then metric, edac, cluster will be set. To learn more, see the following section on supported feature types.

features: metric

buffer_ttl

Optional

Enter a length of time to retry failed streaming data. After this length of time is reached, the failed streaming data will no longer be tried.

buffer_ttl: 2h

buffer_path

Optional

Enter a folder path to temporarily store failed streaming data. The failed streaming data will be retried until the data reaches its destinations or until the Buffer TTL value is reached. If you enter a path that does not exist, then the agent will create directories, as needed.

buffer_path: /var/log/edgedelta/pushbuffer/

buffer_max_bytesize

Optional

Enter the maximum size of failed streaming data that you want to retry.

If the failed streaming data is larger than this size, then the failed streaming data will not be retried.

buffer_max_bytesize: 100MB

disable_verify

Optional

To disable a TLS verification of a certificate, enter disable_verify: true.

To enable a TLS verification of the certificate, enter disable_verify: false or you can remove this line entirely.

custom_tags

Optional

This parameter defines key-value pairs that are streamed with every request.

      custom_tags:
        "app": "test"
        "region": "us-west-2"
        "File Path": "{{.FileGlobPath}}"
        "K8s PodName": "{{.K8sPodName}}"
        "K8s Namespace": "{{.K8sNamespace}}"
        "K8s ControllerKind": "{{.K8sControllerKind}}"
        "K8s ContainerName": "{{.K8sContainerName}}"
        "K8s ContainerImage": "{{.K8sContainerImage}}"
        "K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
        "ECSCluster": "{{.ECSCluster}}"
        "ECSContainerName": "{{.ECSContainerName}}"
        "ECSTaskVersion": "{{.ECSTaskVersion}}"
        "ECSTaskFamily": "{{.ECSTaskFamily}}"
        "DockerContainerName": "{{.DockerContainerName}}"
        "ConfigID": "{{.ConfigID}}"
        "Host": "{{.Host}}"
        "Source": "{{.Source}}"
        "SourceType": "{{.SourceType}}"
        "Tag": "{{.Tag}}"

Supported Features

See Streaming Features.

Feature Type Supported?
Log Yes
Metrics Yes
Alert as event Yes
Alert as log No
Health No
Dimensions as attribute Yes
Send as is No
Send as JSON Yes
Custom tags Yes
EDAC enrichment No
Message template No
outgoing_bytes.sum Yes
outgoing__raw_bytes.sum Yes
outgoing_lines.count Yes (only data in raw message field)
output buffering to disk No