embulk-input-splunk 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +9 -1
- data/embulk-input-splunk.gemspec +1 -1
- data/lib/embulk/input/splunk.rb +13 -3
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bb169aa2ac863553e446617ab350bb93b56f4711ce48c5b96ec0ce47e0e0525e
|
|
4
|
+
data.tar.gz: d715cadc423c7c1dfb6136b1d1cc15a1030f426cb00ee1374eae2f9059058994
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8cd23ac86966cfc83fd7f7fea8c5d41623639aa2056104c8e4429eb23cf27f62099b1dea2b3167fcd0502d710d0cef3656de0663909ba500e9e35ec72debbc48
|
|
7
|
+
data.tar.gz: e9507de2e73fdc6324e7de78febcbb85f66166b77b8e3b19687bd965c6d27cfe164920c616ab5a180eaafc93d49043386e366fd79c3d2a091b779e4d7dab53fb
|
data/README.md
CHANGED
|
@@ -24,17 +24,25 @@ Note that the time is fetched from Splunk's `_time` field. It is possible to ren
|
|
|
24
24
|
- **query**: the query you wish to run. It should be prefixed with "search" (string required)
|
|
25
25
|
- **earliest_time**: the earliest time for the splunk search. (string, default: nil, which is unbounded)
|
|
26
26
|
- **latest_time**: the latest time for the splunk search. (string, default: nil, which is unbounded)
|
|
27
|
+
- **incremental**: whether to resume next search from last result time (boolean, default: false)
|
|
27
28
|
|
|
28
29
|
### Earliest and latest times
|
|
29
30
|
|
|
30
31
|
Splunk's required data format is `%Y-%m-%dT%H:%M:%S.%L%:z` which is the required format for `earliest_time` and `latest_time`.
|
|
31
32
|
In addition, Splunk relative time operations are also accepted, such as -1d@d. For more information, see the [Splunk documentation](https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/SearchTimeModifiers)
|
|
32
33
|
|
|
34
|
+
### Incremental loads
|
|
35
|
+
|
|
36
|
+
Incremental support is basic. The logic is:
|
|
37
|
+
|
|
38
|
+
- always rely on `_time` field in Splunk
|
|
39
|
+
- determine latest `_time` in search
|
|
40
|
+
- use latest `_time` as `earliest_time` in next run
|
|
41
|
+
|
|
33
42
|
### Number of returned results
|
|
34
43
|
|
|
35
44
|
The default Splunk API limits resuts to 100. In this plugin, the limit is not set, so it is possible to generate very large result sets. To limit the number of results, use the `head` or `tail` command in your query.
|
|
36
45
|
|
|
37
|
-
|
|
38
46
|
## Examples
|
|
39
47
|
|
|
40
48
|
Remember the queries much be prefixed with the search command or they are unlikely not to work.
|
data/embulk-input-splunk.gemspec
CHANGED
data/lib/embulk/input/splunk.rb
CHANGED
|
@@ -12,6 +12,7 @@ module Embulk
|
|
|
12
12
|
# Zero means unlimited results. Splunk's default is 100.
|
|
13
13
|
SPLUNK_UNLIMITED_RESULTS = 0
|
|
14
14
|
SPLUNK_TIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%L%:z"
|
|
15
|
+
SPLUNK_OUTPUT_FORMAT = "json"
|
|
15
16
|
|
|
16
17
|
def self.transaction(config, &control)
|
|
17
18
|
# configuration code:
|
|
@@ -26,9 +27,13 @@ module Embulk
|
|
|
26
27
|
|
|
27
28
|
"earliest_time" => config.param(:earliest_time, :string, default: nil),
|
|
28
29
|
"latest_time" => config.param(:latest_time, :string, default: nil),
|
|
29
|
-
|
|
30
|
-
"incremental" => config.param("incremental", :bool, default: false),
|
|
30
|
+
|
|
31
|
+
"incremental" => config.param("incremental", :bool, default: false),
|
|
31
32
|
}
|
|
33
|
+
|
|
34
|
+
if task["incremental"] && task["latest_time"]
|
|
35
|
+
Embulk.logger.warn "Incremental is 'true' and latest_time is set. This may have unexpected results."
|
|
36
|
+
end
|
|
32
37
|
|
|
33
38
|
columns = [
|
|
34
39
|
Column.new(0, "time", :timestamp),
|
|
@@ -60,14 +65,19 @@ module Embulk
|
|
|
60
65
|
:password => task[:password]
|
|
61
66
|
}
|
|
62
67
|
|
|
63
|
-
@service = ::Splunk::connect(splunk_config)
|
|
64
68
|
@query = task["query"]
|
|
65
69
|
@earliest_time, @latest_time = task[:earliest_time], task[:latest_time]
|
|
70
|
+
|
|
71
|
+
Embulk.logger.info "Establishing connection to Splunk"
|
|
72
|
+
@service = ::Splunk::connect(splunk_config)
|
|
66
73
|
end
|
|
67
74
|
|
|
68
75
|
def run
|
|
76
|
+
Embulk.logger.info "Running query `#{@query}`"
|
|
77
|
+
|
|
69
78
|
stream = @service.create_oneshot(@query,
|
|
70
79
|
count: SPLUNK_UNLIMITED_RESULTS,
|
|
80
|
+
output_format: SPLUNK_OUTPUT_FORMAT,
|
|
71
81
|
earliest_time: @earliest_time,
|
|
72
82
|
latest_time: @latest_time)
|
|
73
83
|
|