Splunk Rosetta Stone Pack
This is a splunk rosetta stone pack that ensures compatibility of log data with a Splunk destination
2 minute read
Edge Delta Pipeline Pack for Splunk
Overview
The Splunk pack ensures compatibility of log data with a Splunk destination.
Pack Description
1. Input Node
The data flow starts with the Input node. This node serves as the entry point into the pack where it begins processing the incoming logs before they are mapped for Splunk.
2. Splunk Mapper
Logs are then processed by the Map_Logs node, which is a splunk_mapper node. This node performs an essential function by transforming logs into a format compliant with Splunk’s HTTP Event Collector (HEC).
- name: Map_Logs
type: splunk_mapper
splunk_time: item["timestamp"]
splunk_host: item["resource"]["host.name"]
splunk_source_type: item["resource"]["src_type"]
splunk_source: item["resource"]["__src_name"]
splunk_fields: merge(item["attributes"], item["resource"])
splunk_event: item["body"]
The splunk_mapper node creates a new event payload for Splunk by mapping fields from the incoming logs:
splunk_timeis mapped to thetimestampfield from the log.splunk_hostuses thehost.namefrom the resource.splunk_source_typeandsplunk_sourceare derived fromsrc_typeand__src_namerespectively.splunk_fieldsmerges attributes and resources for additional detail.splunk_eventuses the entirebodyof the log as the event content.
3. Output Node
Finally, the transformed logs are directed to the Output node.
Sample Input
73.58.83.114 - streich9150 [28/09/2024:14:01:07 -0400] "PUT /enterprise/redefine/cross-media/efficient HTTP/2.0" 401 15416 "http://www.legacyvisionary.com/frictionless/empower" "Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_8 rv:6.0; en-US) AppleWebKit/534.35.2 (KHTML, like Gecko) Version/6.1 Safari/534.35.2"
81.182.191.253 - - [28/09/2024:14:01:07 -0400] "DELETE /visionary HTTP/2.0" 504 70747 "https://www.centralone-to-one.biz/distributed/frictionless" "Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/1925-02-04 Firefox/36.0"
17.154.88.156 - bauch9651 [28/09/2024:14:01:07 -0400] "POST /systems/target/brand/eyeballs HTTP/2.0" 203 81398 "https://www.centralextend.io/enhance/cross-platform/engage/drive" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_9 rv:6.0; en-US) AppleWebKit/535.21.6 (KHTML, like Gecko) Version/5.0 Safari/535.21.6"
104.241.60.107 - - [28/09/2024:14:01:07 -0400] "PUT /deploy/cross-platform/engineer/envisioneer HTTP/2.0" 500 21088 "http://www.investorutilize.io/infomediaries/proactive/repurpose" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/5362 (KHTML, like Gecko) Chrome/37.0.868.0 Mobile Safari/5362"
197.43.127.75 - hodkiewicz5442 [28/09/2024:14:01:07 -0400] "GET /reinvent/integrate/bandwidth HTTP/1.1" 504 91937 "https://www.seniordistributed.name/solutions/supply-chains" "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/1925-10-07 Firefox/36.0"
204.191.74.2 - schiller1679 [28/09/2024:14:01:07 -0400] "HEAD /eyeballs HTTP/2.0" 401 51538 "http://www.directdisintermediate.info/back-end/mission-critical/portals/e-tailers" "Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.30.3 (KHTML, like Gecko) Version/4.1 Safari/531.30.3"
113.253.184.216 - - [28/09/2024:14:01:07 -0400] "HEAD /revolutionary/synergize/open-source HTTP/2.0" 401 24710 "https://www.forwardoptimize.net/out-of-the-box/mission-critical/vertical" "Opera/9.59 (Macintosh; Intel Mac OS X 10_8_7; en-US) Presto/2.9.233 Version/10.00"
25.197.60.61 - wisozk3586 [28/09/2024:14:01:07 -0400] "GET /e-tailers HTTP/1.0" 301 45071 "https://www.seniore-tailers.biz/virtual/integrated/intuitive" "Opera/9.84 (Windows 95; en-US) Presto/2.10.307 Version/12.00"