Overview
The Splunk output will stream analytics and insights to a Splunk HEC endpoint.
Before you begin
To create an output, you must have available a Splunk HEC token and HEC endpoint.
- To learn how to create and obtain this information, see Pre-Configuration Information for Splunk Users.
Pre-Configuration Information for Splunk Users
Before you can set up a Splunk output or integration, you must have the HEC token and HEC endpoint available. At a high level, to set up a Splunk output or integration, you must:
- Configure an HEC token in Splunk
- Determine the correct HEC endpoint in Splunk
- Import the Edge Delta dashboard into Splunk
Note
The process to set up a Splunk output varies for Splunk Cloud and Splunk Enterprise users.
Step 1: Configure an HEC Token in Splunk
Option 1: Splunk Cloud
To create a Splunk HTTP Event Collector (HEC) and token:
- In the Splunk Web UI, navigate to Settings, then click Add Data.
- Click Monitor, and then click HTTP Event Listener.
- In the field, enter a name for the HEC, and then click Next.
- Confirm the index information or use the default index, and then click Click Review.
- Click Submit.
- Copy the displayed token value. You can enter this information in the Token field in the Edge Delta App.
Option 2: Splunk Enterprise
To ensure HTTP Event Collector (HEC) is enabled:
- In the Splunk Enterprise Web UI, navigate to Settings, then click Data Inputs.
- Click HTTP Event Collector.
- Click Global Settings.
- In the All Tokens toggle button, select Enabled.
To create a Splunk HTTP Event Collector (HEC) and token:
- In the Splunk Web UI, navigate to Settings, then click Add Data.
- Click Monitor, and then click HTTP Event Listener.
- In the field, enter a name for the HEC, and then click Next.
- Confirm the index information or use the default index, and then click Click Review.
- Click Submit.
- Copy the displayed token value. You can enter this information in the Token field in the Edge Delta App.
Step 2: Determine your HEC Endpoint
Before you continue, verify that you have the following information:
- Splunk deployment type (Enterprise, Cloud, Free Trial, etc.)
- Splunk hostname (from Splunk Browser URI)
- Input Protocol (HTTPS is default)
Option 1: Splunk Cloud Format (Cloud, Free Trial, Cloud on GCP)
Replace <splunk_hostname> with your organization’s hostname
- Splunk Cloud
- URI Format: https://http-inputs-<splunk_hostname>:443/services/collector/event
- Splunk Free Trial
- URI Format: https://inputs.<splunk_hostname>:8088/services/collector/event
- Splunk Cloud on GCP
- URI Format: https://http-inputs.<splunk_hostname>:443/services/collector/event
Option 2: Splunk Enterprise
- URI Format: https://<splunk_hostname>:8088/services/collector/event
Step 3: Import the Edge Delta Dashboard to Splunk
- In Splunk, navigate to Search interface.
- Click Dashboards.
- Click Create New Dashboard.
- Enter and configure a dashboard name, description, and permissions.
- Click Classic Dashboards, and then click Create.
- In the Edit Dashboard page, switch from UI to Source.
- Replace the existing XML with the copied XML.
- Contact your Edge Delta Sales Engineer so that you can obtain the XML.
- Switch back to UI.
- Click Save.
Review Sample Configuration
The following sample configuration displays an output without the name of the organization-level integration:
name: my-splunk
type: splunk
endpoint: "<protocol>://<host>:<port>/<endpoint>"
token: "32-character GUID token"
custom_tags:
"app": "test"
"region": "us-west-2"
"File Path": "{{.FileGlobPath}}"
"K8s PodName": "{{.K8sPodName}}"
"K8s Namespace": "{{.K8sNamespace}}"
"K8s ControllerKind": "{{.K8sControllerKind}}"
"K8s ContainerName": "{{.K8sContainerName}}"
"K8s ContainerImage": "{{.K8sContainerImage}}"
"K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
"ECSCluster": "{{.ECSCluster}}"
"ECSContainerName": "{{.ECSContainerName}}"
"ECSTaskVersion": "{{.ECSTaskVersion}}"
"ECSTaskFamily": "{{.ECSTaskFamily}}"
"DockerContainerName": "{{.DockerContainerName}}"
"ConfigID": "{{.ConfigID}}"
"Host": "{{.Host}}"
"Source": "{{.Source}}"
"SourceType": "{{.SourceType}}"
"Tag": "{{.Tag}}"
The following sample configuration displays if there are multiple instances of the same destination that need to route different data types to different Splunk indexes:
- name: edac-splunk-dest
integration_name: orgs-splunk
features: edac
index: edac-index
- integration_name: orgs-splunk
name: metric-splunk-dest
features: metric
index: metric-index
Review Parameters
Review the following parameters that you can configure in the Edge Delta App.
name
Required
Enter a descriptive name for the output or integration.
For outputs, this name will be used to map this destination to a workflow.
Review the following example:
name: my-splunk
integration_name
Optional
This parameter refers to the organization-level integration created in the Integrations page.
If you need to add multiple instances of the same integration into the config, then you can add a custom name to each instance via the name parameter. In this situation, the name should be used to refer to the specific instance of the destination in the workflows.
Review the following example:
integration_name: orgs-splunk
type
Required
Enter splunk.
Review the following example:
type: splunk
endpoint
Required
Enter the full Splunk HEC URI.
This parameter supports 2 types of endpoints:
- Use "services/collector/event" to send reduced data in Splunk's predefined JSON format. Review the following example:
endpoint: ..../services/collector/event - Use "services/collector/raw" to send all data in Edge Delta's predefined JSON format. Review the following example:
endpoint: ..../services/collector/raw
Review the following example:
endpoint: "<protocol>://<host>:<port>/<endpoint>"
token
Required
Enter the Splunk HEC token for this integration.
Review the following example:
token: "32-character GUID token"
index
Optional
Enter the Splunk index for this integration.
Review the following example:
index: metric-index
features
Optional
This parameter defines which data types to stream to the destination.
If you do not provide a value, then metric, edac, cluster will be set.
To learn more, review the Review Feature Types section in Stream Outputs and Integrations Overview.
Review the following example:
features: metric
buffer_ttl
Optional
Enter a length of time to retry failed streaming data.
After this length of time is reached, the failed streaming data will no longer be tried.
Review the following example:
buffer_ttl: 2h
buffer_path
Optional
Enter a folder path to temporarily store failed streaming data.
The failed streaming data will be retried until the data reaches its destinations or until the Buffer TTL value is reached.
If you enter a path that does not exist, then the agent will create directories, as needed.
Review the following example:
buffer_path: /var/log/edgedelta/pushbuffer/
buffer_max_bytesize
Optional
Enter the maximum size of failed streaming data that you want to retry.
If the failed streaming data is larger than this size, then the failed streaming data will not be retried.
Review the following example:
buffer_max_bytesize: 100MB
disable_verify
Optional
To disable a TLS verification of a certificate, enter disable_verify: true.
To enable a TLS verification of the certificate, enter disable_verify: false or you can remove this line entirely.
custom_tags
Optional
This parameter defines key-value pairs that are streamed with every request.
custom_tags:
"app": "test"
"region": "us-west-2"
"File Path": "{{.FileGlobPath}}"
"K8s PodName": "{{.K8sPodName}}"
"K8s Namespace": "{{.K8sNamespace}}"
"K8s ControllerKind": "{{.K8sControllerKind}}"
"K8s ContainerName": "{{.K8sContainerName}}"
"K8s ContainerImage": "{{.K8sContainerImage}}"
"K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
"ECSCluster": "{{.ECSCluster}}"
"ECSContainerName": "{{.ECSContainerName}}"
"ECSTaskVersion": "{{.ECSTaskVersion}}"
"ECSTaskFamily": "{{.ECSTaskFamily}}"
"DockerContainerName": "{{.DockerContainerName}}"
"ConfigID": "{{.ConfigID}}"
"Host": "{{.Host}}"
"Source": "{{.Source}}"
"SourceType": "{{.SourceType}}"
"Tag": "{{.Tag}}"
Quick links