fluent-plugin-in-http-splunk-hec 0.1.0.rc1 → 0.1.0.rc2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b026a18f2c30a139c8718e3669993e0ccf885f04ecde1447399943d4b2b876ab
|
|
4
|
+
data.tar.gz: c85f866af026a2629301bd1d3a6af6f69df58b3a00c5eb0c2e472bdea9afc869
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5e6802be2857560aa6e06a58ec8d7a53132bfac6fb25eadee5a1d7009d85c3219bcf57ae6dfc8c0e85decf0e37e13baeedba22a62b6078d04e96ac8ba0afb5e3
|
|
7
|
+
data.tar.gz: c61be912ec432173f1d9a394197366de879462f8bd186ffd0d07f4e3484c2f1c6d87cebdcd32843ec093ae347025fb5fad682cec6deb194cf9a1b2de3cc16d70
|
data/README.md
CHANGED
|
@@ -118,6 +118,70 @@ This plugin can handle Splunk HEC HTTP requests with the following configuration
|
|
|
118
118
|
# And other data pipeline
|
|
119
119
|
```
|
|
120
120
|
|
|
121
|
+
### Advanced Usage
|
|
122
|
+
|
|
123
|
+
`in_http_splunk_hec` can be combined `fluent-plugin-cmetrics` to forward ingested Splunk metric records from mimicking Splunk HTTP HEC endpoint.
|
|
124
|
+
|
|
125
|
+
When you want to use the below Splunk HTTP HEC aggregator, you have to install `fluent-plugin-cmetrics` before you use that.
|
|
126
|
+
|
|
127
|
+
This plugin also can aggregate and the latter data pipeline can forward Splunk metric events with the following configuration:
|
|
128
|
+
|
|
129
|
+
```aconf
|
|
130
|
+
<source>
|
|
131
|
+
@type http_splunk_hec
|
|
132
|
+
bind 0.0.0.0
|
|
133
|
+
port 8089
|
|
134
|
+
body_size_limit 32MB
|
|
135
|
+
keepalive_timeout 10
|
|
136
|
+
# backlog 0
|
|
137
|
+
add_http_headers false
|
|
138
|
+
# Use the actual Splunk HTTP HEC endpoint token
|
|
139
|
+
splunk_token <<YOUR_SPLUNK_HEC_TOKEN>>
|
|
140
|
+
<parse>
|
|
141
|
+
@type none
|
|
142
|
+
</parse>
|
|
143
|
+
</source>
|
|
144
|
+
|
|
145
|
+
<filter services.collector>
|
|
146
|
+
@type concatenated_splunk_json
|
|
147
|
+
</filter>
|
|
148
|
+
|
|
149
|
+
<match services.collector>
|
|
150
|
+
@type copy
|
|
151
|
+
<store>
|
|
152
|
+
@type rdkafka2
|
|
153
|
+
brokers <<BROKER_URL:BROKER_PORT>>
|
|
154
|
+
topic services.collector
|
|
155
|
+
default_topic services.collector
|
|
156
|
+
use_event_time true
|
|
157
|
+
required_acks 1
|
|
158
|
+
<format>
|
|
159
|
+
# This plugin is included in `fluent-plugin-cmetrics`.
|
|
160
|
+
@type cmetrics_splunk_metric_payload
|
|
161
|
+
host_key host
|
|
162
|
+
cmetrics_name_key $.fields.metric_name
|
|
163
|
+
cmetrics_value_key $.fields._value
|
|
164
|
+
# Specifying the below parameter and `$.fields` in `<fields>` plugin custom directive,
|
|
165
|
+
# out_rdkafka2 can send Splunk metrics style records into Kafka.
|
|
166
|
+
#
|
|
167
|
+
# To remove the `$.fields` prefix from Splunk dimensions,
|
|
168
|
+
# This parameter should be true.
|
|
169
|
+
only_use_last_field_keys true
|
|
170
|
+
<fields>
|
|
171
|
+
$.fields
|
|
172
|
+
</fields>
|
|
173
|
+
</format>
|
|
174
|
+
<buffer>
|
|
175
|
+
@type memory
|
|
176
|
+
flush_interval 10s
|
|
177
|
+
</buffer>
|
|
178
|
+
</store>
|
|
179
|
+
<store>
|
|
180
|
+
@type stdout
|
|
181
|
+
</store>
|
|
182
|
+
</match>
|
|
183
|
+
```
|
|
184
|
+
|
|
121
185
|
## Copyright
|
|
122
186
|
|
|
123
187
|
* Copyright(c) 2021- Calyptia Inc.
|
|
@@ -3,7 +3,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
|
3
3
|
|
|
4
4
|
Gem::Specification.new do |spec|
|
|
5
5
|
spec.name = "fluent-plugin-in-http-splunk-hec"
|
|
6
|
-
spec.version = "0.1.0.
|
|
6
|
+
spec.version = "0.1.0.rc2"
|
|
7
7
|
spec.authors = ["Hiroshi Hatake"]
|
|
8
8
|
spec.email = ["cosmo0920.oucc@gmail.com"]
|
|
9
9
|
|
|
@@ -37,8 +37,12 @@ module Fluent
|
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
def parse_splunk_timestamp(timestamp)
|
|
40
|
-
|
|
41
|
-
|
|
40
|
+
if !timestamp.nil?
|
|
41
|
+
timestamp = Float(timestamp)
|
|
42
|
+
Fluent::EventTime.from_time(Time.at(timestamp.to_r))
|
|
43
|
+
else
|
|
44
|
+
Fluent::EventTime.now
|
|
45
|
+
end
|
|
42
46
|
end
|
|
43
47
|
|
|
44
48
|
def filter_stream(tag, es)
|
|
@@ -19,6 +19,16 @@ class ConcatenatedSplunkJSONFilterTest < Test::Unit::TestCase
|
|
|
19
19
|
time_key time
|
|
20
20
|
]
|
|
21
21
|
|
|
22
|
+
test "parsing simple body w/o time_key" do
|
|
23
|
+
d = create_driver
|
|
24
|
+
d.run(default_tag: "test") do
|
|
25
|
+
d.feed(Fluent::EventTime.now, {"message" => '{"event":"Hello, world!", "sourcetype":"manual"}'})
|
|
26
|
+
end
|
|
27
|
+
assert do
|
|
28
|
+
d.filtered.size >= 1
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
|
|
22
32
|
test "parsing condensed body" do
|
|
23
33
|
d = create_driver
|
|
24
34
|
d.run(default_tag: "test") do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fluent-plugin-in-http-splunk-hec
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.0.
|
|
4
|
+
version: 0.1.0.rc2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Hiroshi Hatake
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-01-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|