embulk-input-splunk 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 97cceb8fac1ece34ef872c15aa8861d735d9307c89450ac8ce343a440c855062
+  data.tar.gz: 896b3b1543169a45aeb94494817b9136064cdb566c72449caf41dca28473a38b
+SHA512:
+  metadata.gz: bb553e46a762d8fd09b5655bd1c0621c1d5bf28396c00059cd1a1809cf768d6b70f2dc3bbaf47785899bea94807c73b069bf542bd6b5b47e9ff7494c60a301c0
+  data.tar.gz: '085667e45da0411d52b783def58e0c5187d337113e6913b37651f9159843fea76d44a573f1be69283d04375d9e54ba25a78656e4d25b45f4eba270a9a9ecb558'

data/.gitignore

@@ -0,0 +1,5 @@
+*~
+/pkg/
+/tmp/
+/.bundle/
+/Gemfile.lock

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org/'
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,40 @@
+# Splunk input plugin for Embulk
+
+A simple plug-in to run a once-off Splunk query and emit the results.
+
+## Overview
+
+* **Plugin type**: input
+* **Resume supported**: no
+* **Cleanup supported**: no
+* **Guess supported**: no
+
+## Configuration
+
+-  **type**: splunk
+-  **host**: host of your splunk server (string, required)
+-  **username**: splunk username (string, required)
+-  **password**: splunk password (string, required)
+-  **port**: splunk API port (integer, default: 8089)
+-  **query**: the query you wish to run. It should be prefixed with "search" (string required)
+
+## Example
+
+```yaml
+in:
+  type: splunk
+  host: splunk.example.com
+  username: splunk_user
+  password: abc123
+  port: 8089
+  query: "search index="main" | head 10"
+out:
+  type: stdout
+```
+
+
+## Build
+
+```
+$ rake
+```

data/Rakefile

@@ -0,0 +1,3 @@
+require "bundler/gem_tasks"
+
+task default: :build

data/embulk-input-splunk.gemspec

@@ -0,0 +1,20 @@
+
+Gem::Specification.new do |spec|
+  spec.name          = "embulk-input-splunk"
+  spec.version       = "0.1.1"
+  spec.authors       = ["Scott Arbeitman"]
+  spec.summary       = "Splunk input plugin for Embulk"
+  spec.description   = "Loads records from a Splunk query."
+  spec.email         = ["scott.arbeitman+gem@gmail.com"]
+  spec.licenses      = ["MIT"]
+
+  spec.files         = `git ls-files`.split("\n") + Dir["classpath/*.jar"]
+  spec.test_files    = spec.files.grep(%r{^(test|spec)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'splunk-sdk-ruby'
+  spec.add_dependency 'activesupport'
+  spec.add_development_dependency 'embulk', ['>= 0.8.39']
+  spec.add_development_dependency 'bundler', ['>= 1.10.6']
+  spec.add_development_dependency 'rake', ['>= 10.0']
+end

data/lib/embulk/input/splunk.rb

@@ -0,0 +1,95 @@
+require 'splunk-sdk-ruby'
+require 'active_support/all'
+require 'digest'
+require 'json'
+
+module Embulk
+  module Input
+
+    class Splunk < InputPlugin
+      Plugin.register_input("splunk", self)
+      
+      # Zero means unlimited results. Splunk's default is 100.
+      SPLUNK_UNLIMITED_RESULTS = 0
+      SPLUNK_TIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%L%:z"
+
+      def self.transaction(config, &control)
+        # configuration code:
+        task = {
+          "host" => config.param("host", :string),
+          "port" => config.param("port", :integer, default: 8089),
+          "username" => config.param("username", :string),
+          "password" => config.param("password", :string),
+          "query" => config.param("query", :string),
+          "incremental" => config.param("incremental", :bool, default: false),
+          "time_format" => config.param("time_format", :string, default: SPLUNK_TIME_FORMAT),
+          
+          "earliest_time" => config.param(:earliest_time, :string, default: "2010-01-01T00:00:00.000"),
+        }
+
+        columns = [
+          Column.new(0, "time", :timestamp),
+          Column.new(1, "result", :json),
+        ]
+
+        resume(task, columns, 1, &control)
+      end
+
+      def self.resume(task, columns, count, &control)
+        task_reports = yield(task, columns, count)
+        
+        next_config_diff = {}
+        
+        if task["incremental"]
+          next_config_diff[:earliest_time] = Time.parse( task_reports.first[:latest_time_in_results] ).strftime(SPLUNK_TIME_FORMAT)
+        end
+        
+        return next_config_diff
+      end
+
+      def init
+        # initialization code:
+        splunk_config = {
+          :scheme => :https,
+          :host => task[:host],
+          :port => task[:port],
+          :username => task[:username],
+          :password => task[:password]
+        }
+        
+        @service = ::Splunk::connect(splunk_config)
+        @query = task["query"]
+        @earliest_time = task[:earliest_time]
+      end
+
+      def run
+        stream = @service.create_oneshot(@query,
+                                         count: SPLUNK_UNLIMITED_RESULTS,
+                                         earliest_time: @earliest_time)
+
+        reader = ::Splunk::ResultsReader.new(stream)
+        
+        latest_time_in_results = Time.at(0)
+
+        reader.each do |result|
+          event_time = Time.strptime( result["_time"], task[:time_format] )
+          latest_time_in_results = [latest_time_in_results, event_time].max
+          
+          page_builder.add( [
+            event_time,
+            result.to_json
+          ] )
+        end
+        
+        page_builder.finish
+        
+        task_result = {
+          latest_time_in_results: latest_time_in_results
+        }
+
+        return task_result
+      end
+    end
+
+  end
+end

metadata

@@ -0,0 +1,121 @@
+--- !ruby/object:Gem::Specification
+name: embulk-input-splunk
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Scott Arbeitman
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2018-02-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: splunk-sdk-ruby
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: activesupport
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.39
+  name: embulk
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.39
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.10.6
+  name: bundler
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.10.6
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  name: rake
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Loads records from a Splunk query.
+email:
+- scott.arbeitman+gem@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- embulk-input-splunk.gemspec
+- lib/embulk/input/splunk.rb
+homepage:
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.13
+signing_key:
+specification_version: 4
+summary: Splunk input plugin for Embulk
+test_files: []