Splunk sink Connector, version v2.0.9

Splunk

If you already have a publicly accessible deployment of Splunk, you can skip ahead and Configure and install a connector, using the Axual Self-Service UI. Use the configuration instructions below.
If you don’t have one available, the following section instructs you to deploy a publicly available instance of Splunk.

Deploying a Splunk instance

  1. Sign up a new account with Splunk.

  2. Confirm your e-mail address by clicking the provided link

  3. Go to the Instances page. If no active instance is shown, wait 5 minutes and refresh the page.

  4. Click the ACCESS INSTANCE button on the MyInstance instance. Don’t log in yet.

  5. You should receive a second e-mail from splunk with your credentials. Login using the provided username and password.

  6. Accept the terms, read and close the pop-up splunk shows, and we’re ready to get started setting up our instance.

  7. Follow the official documentation to Create an event Collector token on Splunk Cloud platform.

    • Step 1: The settings button can be found at the top of the page, and the Add data button is on the left side of the drop-down menu.

      Splunk cloud UI, the settings → add data button, used to create HEC tokens

    • Step 9: Use mcollect_stash as the source type. Select the main index as enabled and default.

  8. Once you have your token, note it down. We’ll use it when configuring the Connector-Application, for the splunk.hec.token configuration value.

  9. Test your splunk deployment and token by issuing a curl request from your local machine.
    The URL format is specified in the Send data to HEC on Splunk Cloud documentation.
    Note: As of the time of writing this document, the "standard form for the HEC URI in Splunk Cloud Platform free trials" is wrong.
    Replace YOUR-STACK-ID and YOUR-TOKEN with your HOST and HEC-Token respectively.
    Example stack ID: prd-p-abc12.

    curl -kv "https://YOUR-STACK-ID.splunkcloud.com:8088/services/collector/event" \
    -H "Authorization: Splunk YOUR-TOKEN" \
    -d '{"event": "Hello, world!", "sourcetype": "manual"}'

    Expected output:

    {
  "text": "Success",
  "code": 0
}

Configuring a new sink Connector

  1. Follow the Creating streams documentation in order to create one stream and deploy it onto an environment.
    The name of the stream will be my_splunk_stream.
    The key/value types will be JSON/JSON.

  2. Produce some data as JSON/JSON events to this stream.

  3. Follow the Configure and install a connector documentation to set up a new Connector-Application.
    Let’s call it my_splunk_sink.
    The plugin name is com.splunk.kafka.connect.SplunkSinkConnector.
    If a plugin isn’t available, ask a platform operator to install plugins.

  4. Provide the following minimal configuration in order to connect to the previously configured Splunk instance.
    For advanced configuration, see the official sink connector documentation.

    topics

    my_splunk_stream

    splunk.hec.uri
    For splunk cloud trials, the URL has this form:
    https://YOUR-STACK-ID.splunkcloud.com:8088

    Example value:
    https://prd-p-abc12.splunkcloud.com:8088/services/collector
    Note that this URL doesn’t contain the path /services/collector/event, like our command-line test URL.
    The connector will append it to the path.

    splunk.hec.token
    Paste the token you noted down after creating the HEC-Token following official splunk documentation.

    Example value:
    12abcd34-5e6f-789g-0123-h45i6j789kl0

    splunk.hec.ssl.trust.store.path
    We need to provide a truststore path. We’ll use the default truststore location.

    /docker-java-home/lib/security/cacerts

    splunk.hec.ssl.trust.store.password

    changeit

    splunk.hec.ssl.validate.certs
    We are disabling certificate validation for this example.

    false

  5. Authorize the my_splunk_sink sink Connector-Application to consume the my_splunk_stream stream.

  6. You can now start the sink Connector-Application.

  7. You can check if the events you produced to kafka made their way into splunk by checking the HEC dashboard in your browser.
    The URL is YOUR-STACK-ID.splunkcloud.com/en-US/app/splunk_instance_monitoring/http_event_collector

  8. You can now browse your data using splunk search in your browser.
    The URL is YOUR-STACK-ID.splunkcloud.com/en-US/app/search/search?q=search%20index%3D%22main%22

Cleanup

Once you are done, stop the Connector-Application and cleanup the unused axual resources.
You don’t need to do anything to clean up your splunk cloud instance. It will expire in 2 weeks.

License

Splunk sink-Connector is licensed under the Apache License, Version 2.0.

Source code

The source code for the Connect-Plugin can be found at github.com/splunk/kafka-connect-splunk.