fluent-plugin-splunk-hec 1.1.2 → 1.2.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +2 -0
- data/Gemfile.lock +101 -29
- data/LICENSE +73 -5
- data/README.md +130 -77
- data/Rakefile +6 -1
- data/VERSION +1 -1
- data/fluent-plugin-splunk-hec.gemspec +10 -5
- data/lib/fluent/plugin/out_splunk.rb +313 -0
- data/lib/fluent/plugin/{out_splunk_hec → out_splunk}/match_formatter.rb +5 -3
- data/lib/fluent/plugin/out_splunk/version.rb +3 -0
- data/lib/fluent/plugin/out_splunk_hec.rb +144 -194
- data/lib/fluent/plugin/out_splunk_hec/version.rb +2 -0
- data/lib/fluent/plugin/out_splunk_ingest_api.rb +112 -0
- data/test/fluent/plugin/out_splunk_hec_test.rb +227 -225
- data/test/fluent/plugin/out_splunk_ingest_api_test.rb +244 -0
- data/test/test_helper.rb +10 -7
- metadata +69 -24
- data/test/lib/webmock/http_lib_adapters/httpclient_adapter.rb +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 057e56b761d497efa241a04003ffabe88f22c52f04eb7388538044c829548736
|
4
|
+
data.tar.gz: 50a5bcbed257411be793337e52ce45b49c723782134b4ff9000e74af28c59965
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e036e50f81d0f607145b57111031fcee43072915c4619c98d33126df237e3c4afbfde859d7babfd94bdddc849c09d881d0383fc7863688f4db7f0f2e8c5e7cfd
|
7
|
+
data.tar.gz: 78246497f0735f9b54d80cce7b19831d75c623c31a90adfd8a717dc4a9a347f9b2288202566532d89c5b0526c2b04e1e34041fdce5e0de9cc790ac8d67b27a02
|
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,46 +1,103 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
fluent-plugin-splunk-hec (1.
|
5
|
-
fluentd (
|
4
|
+
fluent-plugin-splunk-hec (1.2.4)
|
5
|
+
fluentd (>= 1.4)
|
6
6
|
multi_json (~> 1.13)
|
7
|
-
net-http-persistent (~> 3.
|
7
|
+
net-http-persistent (~> 3.1)
|
8
|
+
openid_connect (~> 1.1.8)
|
9
|
+
prometheus-client (< 0.10.0)
|
8
10
|
|
9
11
|
GEM
|
10
12
|
remote: https://rubygems.org/
|
11
13
|
specs:
|
12
|
-
|
13
|
-
|
14
|
+
activemodel (5.2.4.3)
|
15
|
+
activesupport (= 5.2.4.3)
|
16
|
+
activesupport (5.2.4.3)
|
17
|
+
concurrent-ruby (~> 1.0, >= 1.0.2)
|
18
|
+
i18n (>= 0.7, < 2)
|
19
|
+
minitest (~> 5.1)
|
20
|
+
tzinfo (~> 1.1)
|
21
|
+
addressable (2.7.0)
|
22
|
+
public_suffix (>= 2.0.2, < 5.0)
|
23
|
+
aes_key_wrap (1.0.1)
|
24
|
+
ast (2.4.0)
|
25
|
+
attr_required (1.0.1)
|
26
|
+
bindata (2.4.4)
|
27
|
+
concurrent-ruby (1.1.6)
|
14
28
|
connection_pool (2.2.2)
|
15
|
-
cool.io (1.
|
29
|
+
cool.io (1.6.0)
|
16
30
|
crack (0.4.3)
|
17
31
|
safe_yaml (~> 1.0.0)
|
18
|
-
|
19
|
-
|
20
|
-
fluentd (1.4.0)
|
32
|
+
docile (1.3.2)
|
33
|
+
fluentd (1.9.2)
|
21
34
|
cool.io (>= 1.4.5, < 2.0.0)
|
22
|
-
dig_rb (~> 1.0.0)
|
23
35
|
http_parser.rb (>= 0.5.1, < 0.7.0)
|
24
|
-
msgpack (>=
|
36
|
+
msgpack (>= 1.3.1, < 2.0.0)
|
25
37
|
serverengine (>= 2.0.4, < 3.0.0)
|
26
38
|
sigdump (~> 0.2.2)
|
27
39
|
strptime (>= 0.2.2, < 1.0.0)
|
28
|
-
tzinfo (
|
40
|
+
tzinfo (>= 1.0, < 3.0)
|
29
41
|
tzinfo-data (~> 1.0)
|
30
42
|
yajl-ruby (~> 1.0)
|
31
|
-
hashdiff (0.
|
32
|
-
http_parser.rb (0.
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
43
|
+
hashdiff (1.0.0)
|
44
|
+
http_parser.rb (0.5.3)
|
45
|
+
httpclient (2.8.3)
|
46
|
+
i18n (1.8.2)
|
47
|
+
concurrent-ruby (~> 1.0)
|
48
|
+
jaro_winkler (1.5.4)
|
49
|
+
json (2.3.0)
|
50
|
+
json-jwt (1.11.0)
|
51
|
+
activesupport (>= 4.2)
|
52
|
+
aes_key_wrap
|
53
|
+
bindata
|
54
|
+
mail (2.7.1)
|
55
|
+
mini_mime (>= 0.1.1)
|
56
|
+
mini_mime (1.0.2)
|
57
|
+
minitest (5.14.0)
|
58
|
+
msgpack (1.3.3)
|
59
|
+
multi_json (1.14.1)
|
60
|
+
net-http-persistent (3.1.0)
|
38
61
|
connection_pool (~> 2.2)
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
62
|
+
openid_connect (1.1.8)
|
63
|
+
activemodel
|
64
|
+
attr_required (>= 1.0.0)
|
65
|
+
json-jwt (>= 1.5.0)
|
66
|
+
rack-oauth2 (>= 1.6.1)
|
67
|
+
swd (>= 1.0.0)
|
68
|
+
tzinfo
|
69
|
+
validate_email
|
70
|
+
validate_url
|
71
|
+
webfinger (>= 1.0.1)
|
72
|
+
parallel (1.19.1)
|
73
|
+
parser (2.7.0.2)
|
74
|
+
ast (~> 2.4.0)
|
75
|
+
power_assert (1.1.5)
|
76
|
+
powerpack (0.1.2)
|
77
|
+
prometheus-client (0.9.0)
|
78
|
+
quantile (~> 0.2.1)
|
79
|
+
public_suffix (4.0.3)
|
80
|
+
quantile (0.2.1)
|
81
|
+
rack (2.2.3)
|
82
|
+
rack-oauth2 (1.10.1)
|
83
|
+
activesupport
|
84
|
+
attr_required
|
85
|
+
httpclient
|
86
|
+
json-jwt (>= 1.11.0)
|
87
|
+
rack
|
88
|
+
rainbow (3.0.0)
|
89
|
+
rake (12.3.3)
|
90
|
+
rubocop (0.63.1)
|
91
|
+
jaro_winkler (~> 1.5.1)
|
92
|
+
parallel (~> 1.10)
|
93
|
+
parser (>= 2.5, != 2.5.1.1)
|
94
|
+
powerpack (~> 0.1)
|
95
|
+
rainbow (>= 2.2.2, < 4.0)
|
96
|
+
ruby-progressbar (~> 1.7)
|
97
|
+
unicode-display_width (~> 1.4.0)
|
98
|
+
ruby-progressbar (1.10.1)
|
99
|
+
safe_yaml (1.0.5)
|
100
|
+
serverengine (2.2.1)
|
44
101
|
sigdump (~> 0.2.2)
|
45
102
|
sigdump (0.2.4)
|
46
103
|
simplecov (0.16.1)
|
@@ -49,13 +106,27 @@ GEM
|
|
49
106
|
simplecov-html (~> 0.10.0)
|
50
107
|
simplecov-html (0.10.2)
|
51
108
|
strptime (0.2.3)
|
52
|
-
|
109
|
+
swd (1.1.2)
|
110
|
+
activesupport (>= 3)
|
111
|
+
attr_required (>= 0.0.5)
|
112
|
+
httpclient (>= 2.4)
|
113
|
+
test-unit (3.3.5)
|
53
114
|
power_assert
|
54
115
|
thread_safe (0.3.6)
|
55
|
-
tzinfo (1.2.
|
116
|
+
tzinfo (1.2.6)
|
56
117
|
thread_safe (~> 0.1)
|
57
|
-
tzinfo-data (1.
|
118
|
+
tzinfo-data (1.2019.3)
|
58
119
|
tzinfo (>= 1.0.0)
|
120
|
+
unicode-display_width (1.4.1)
|
121
|
+
validate_email (0.1.6)
|
122
|
+
activemodel (>= 3.0)
|
123
|
+
mail (>= 2.2.5)
|
124
|
+
validate_url (1.0.8)
|
125
|
+
activemodel (>= 3.0.0)
|
126
|
+
public_suffix
|
127
|
+
webfinger (1.1.0)
|
128
|
+
activesupport
|
129
|
+
httpclient (>= 2.4)
|
59
130
|
webmock (3.5.1)
|
60
131
|
addressable (>= 2.3.6)
|
61
132
|
crack (>= 0.3.2)
|
@@ -69,10 +140,11 @@ DEPENDENCIES
|
|
69
140
|
bundler (~> 2.0)
|
70
141
|
fluent-plugin-splunk-hec!
|
71
142
|
minitest (~> 5.0)
|
72
|
-
rake (
|
143
|
+
rake (>= 12.0)
|
144
|
+
rubocop (~> 0.63.1)
|
73
145
|
simplecov
|
74
146
|
test-unit (~> 3.0)
|
75
147
|
webmock (~> 3.5.0)
|
76
148
|
|
77
149
|
BUNDLED WITH
|
78
|
-
2.
|
150
|
+
2.1.4
|
data/LICENSE
CHANGED
@@ -214,21 +214,89 @@ Apache License 2.0
|
|
214
214
|
The following components are provided under the Apache License 2.0. See project link for details.
|
215
215
|
|
216
216
|
(Apache License 2.0) fluentd (https://github.com/fluent/fluentd/blob/master/LICENSE)
|
217
|
+
(Apache License 2.0) ffi-compiler (https://github.com/ffi/ffi-compiler/blob/master/LICENSE)
|
218
|
+
(Apache License 2.0) msgpack (https://github.com/msgpack/msgpack-ruby/blob/master/LICENSE)
|
219
|
+
(Apache License 2.0) prometheus-client (https://github.com/prometheus/client_ruby/blob/master/LICENSE)
|
220
|
+
(Apache License 2.0) quantile (https://github.com/matttproud/ruby_quantile_estimation/blob/master/LICENSE)
|
221
|
+
(Apache License 2.0) serverengine (https://github.com/treasure-data/serverengine/blob/master/LICENSE)
|
222
|
+
(Apache License 2.0) addressable (https://github.com/sporkmonger/addressable/blob/master/LICENSE.txt)
|
223
|
+
(Apache License 2.0) fluent-plugin-kubernetes_metadata_filter (https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter/blob/master/LICENSE.txt)
|
224
|
+
(Apache License 2.0) thread_safe (https://github.com/ruby-concurrency/thread_safe/blob/master/LICENSE)
|
217
225
|
|
218
226
|
========================================================================
|
219
227
|
MIT licenses
|
220
228
|
========================================================================
|
221
229
|
The following components are provided under the MIT License. See project link for details.
|
222
230
|
|
223
|
-
(MIT License)
|
224
|
-
(MIT License)
|
231
|
+
(MIT License) activemodel (https://github.com/rails/rails/blob/v6.0.2.1/activemodel/MIT-LICENSE)
|
232
|
+
(MIT License) activesupport (https://github.com/rails/rails/blob/v6.0.2.1/activesupport/MIT-LICENSE)
|
233
|
+
(MIT License) aes_key_wrap (https://github.com/tomdalling/aes_key_wrap/blob/master/LICENSE.txt)
|
234
|
+
(MIT License) ast (https://github.com/whitequark/ast/blob/master/LICENSE.MIT)
|
235
|
+
(MIT License) attr_required (https://github.com/nov/attr_required/blob/master/LICENSE)
|
225
236
|
(MIT License) bundler (https://github.com/bundler/bundler/blob/master/LICENSE.md)
|
237
|
+
(MIT License) concurrent-ruby (https://github.com/ruby-concurrency/concurrent-ruby/blob/master/LICENSE.md)
|
238
|
+
(MIT License) connection_pool (https://github.com/mperham/connection_pool/blob/master/LICENSE)
|
239
|
+
(MIT License) cool.io (https://github.com/tarcieri/cool.io/blob/master/LICENSE)
|
240
|
+
(MIT License) crack (https://github.com/jnunemaker/crack/blob/master/LICENSE)
|
241
|
+
(MIT License) docile (https://github.com/ms-ati/docile/blob/master/LICENSE)
|
242
|
+
(MIT License) hashdiff (https://github.com/liufengyun/hashdiff/blob/master/LICENSE)
|
243
|
+
(MIT License) http (https://github.com/httprb/http/blob/master/LICENSE.txt)
|
244
|
+
(MIT License) http_parser.rb (https://github.com/tmm1/http_parser.rb/blob/master/LICENSE-MIT)
|
245
|
+
(MIT License) http-accept (https://github.com/socketry/http-accept#license)
|
246
|
+
(MIT License) http-cookie (https://github.com/sparklemotion/http-cookie/blob/master/LICENSE.txt)
|
247
|
+
(MIT License) http-form_data (https://github.com/httprb/form_data/blob/master/LICENSE.txt)
|
248
|
+
(MIT License) http-parser (https://github.com/cotag/http-parser/blob/master/LICENSE)
|
249
|
+
(MIT License) i18n (https://github.com/ruby-i18n/i18n/blob/master/MIT-LICENSE)
|
250
|
+
(MIT License) jaro_winkler (https://github.com/tonytonyjan/jaro_winkler/blob/master/LICENSE.txt)
|
251
|
+
(MIT License) json-jwt (https://github.com/tonytonyjan/jaro_winkler/blob/master/LICENSE.txt)
|
252
|
+
(MIT License) kubeclient (https://github.com/abonas/kubeclient/blob/master/LICENSE.txt)
|
253
|
+
(MIT License) lru_redux (https://github.com/SamSaffron/lru_redux/blob/master/LICENSE.txt)
|
254
|
+
(MIT License) mail (https://github.com/mikel/mail/blob/master/MIT-LICENSE)
|
255
|
+
(MIT License) mime-types (https://github.com/mime-types/ruby-mime-types/blob/master/Licence.md)
|
256
|
+
(MIT License) mime-types-data (https://github.com/mime-types/mime-types-data/blob/master/Licence.md)
|
257
|
+
(MIT License) mini_mime (https://github.com/discourse/mini_mime/blob/master/LICENSE.txt)
|
258
|
+
(MIT License) minitest (https://github.com/seattlerb/minitest)
|
259
|
+
(MIT License) multi_json (https://github.com/intridea/multi_json/blob/master/LICENSE.md)
|
260
|
+
(MIT License) net-http-persistent (https://github.com/drbrain/net-http-persistent)
|
261
|
+
(MIT License) netrc (https://github.com/heroku/netrc/blob/master/LICENSE.md)
|
262
|
+
(MIT License) openid_connect (https://github.com/nov/openid_connect/blob/master/LICENSE)
|
263
|
+
(MIT License) parallel (https://github.com/grosser/parallel/blob/master/MIT-LICENSE.txt)
|
264
|
+
(MIT License) parser (https://github.com/whitequark/parser/blob/master/LICENSE.txt)
|
265
|
+
(MIT License) powerpack (https://github.com/bbatsov/powerpack/blob/master/LICENSE.txt)
|
266
|
+
(MIT License) public_suffix (https://github.com/weppos/publicsuffix-ruby/blob/master/LICENSE.txt)
|
267
|
+
(MIT License) rack (https://github.com/rack/rack/blob/master/MIT-LICENSE)
|
268
|
+
(MIT License) rack-oauth2 (https://github.com/nov/rack-oauth2/blob/master/LICENSE)
|
269
|
+
(MIT License) rainbow (https://github.com/sickill/rainbow/blob/master/LICENSE)
|
226
270
|
(MIT License) rake (https://github.com/ruby/rake/blob/master/MIT-LICENSE)
|
271
|
+
(MIT License) recursive-open-struct (https://github.com/aetherknight/recursive-open-struct/blob/master/LICENSE.txt)
|
272
|
+
(MIT License) rest-client (https://github.com/rest-client/rest-client/blob/master/LICENSE)
|
273
|
+
(MIT License) rubocop (https://github.com/rubocop-hq/rubocop/blob/master/LICENSE.txt)
|
274
|
+
(MIT License) ruby-progressbar (https://github.com/jfelchner/ruby-progressbar/blob/master/LICENSE.txt)
|
275
|
+
(MIT License) safe_yaml (https://github.com/dtao/safe_yaml/blob/master/LICENSE.txt)
|
276
|
+
(MIT License) sigdump (https://github.com/frsyuki/sigdump/blob/master/LICENSE)
|
277
|
+
(MIT License) simplecov (https://github.com/colszowka/simplecov/blob/master/LICENSE)
|
278
|
+
(MIT License) simplecov-html (https://github.com/colszowka/simplecov-html/blob/master/LICENSE)
|
279
|
+
(MIT License) swd (https://github.com/nov/SWD/blob/master/LICENSE)
|
280
|
+
(MIT License) tzinfo (https://github.com/tzinfo/tzinfo/blob/master/LICENSE)
|
281
|
+
(MIT License) tzinfo-data (https://github.com/tzinfo/tzinfo-data/blob/master/LICENSE)
|
282
|
+
(MIT License) unf_ext (https://github.com/knu/ruby-unf_ext/blob/master/LICENSE.txt)
|
283
|
+
(MIT License) unicode-display_width (https://github.com/janlelis/unicode-display_width/blob/master/MIT-LICENSE.txt)
|
284
|
+
(MIT License) validate_email (https://github.com/perfectline/validates_email/blob/master/MIT-LICENSE)
|
285
|
+
(MIT License) validate_url (https://github.com/perfectline/validates_url/blob/master/LICENSE.md)
|
286
|
+
(MIT License) webfinger (https://github.com/nov/webfinger/blob/master/LICENSE.txt)
|
227
287
|
(MIT License) webmock (https://github.com/bblimke/webmock/blob/master/LICENSE)
|
228
|
-
(MIT License)
|
288
|
+
(MIT License) yajl-ruby (https://github.com/brianmario/yajl-ruby/blob/master/LICENSE)
|
229
289
|
|
230
290
|
========================================================================
|
231
|
-
For
|
291
|
+
For the rest:
|
232
292
|
========================================================================
|
233
293
|
|
234
|
-
|
294
|
+
bindata (https://github.com/dmendel/bindata/blob/master/COPYING)
|
295
|
+
httpclient (https://github.com/nahi/httpclient/#license)
|
296
|
+
json (https://www.ruby-lang.org/en/about/license.txt)
|
297
|
+
test-unit (https://github.com/test-unit/test-unit)
|
298
|
+
unf (https://github.com/knu/ruby-unf/blob/master/LICENSE)
|
299
|
+
power_assert (https://github.com/k-tsj/power_assert/blob/master/BSDL)
|
300
|
+
strptime (https://github.com/nurse/strptime/blob/master/LICENSE.txt)
|
301
|
+
domain_name (https://github.com/knu/ruby-domain_name/blob/master/LICENSE.txt)
|
302
|
+
ffi (https://github.com/ffi/ffi/blob/master/LICENSE)
|
data/README.md
CHANGED
@@ -1,7 +1,9 @@
|
|
1
1
|
[![CircleCI](https://circleci.com/gh/git-lfs/git-lfs.svg?style=shield&circle-token=856152c2b02bfd236f54d21e1f581f3e4ebf47ad)](https://circleci.com/gh/splunk/fluent-plugin-splunk-hec)
|
2
2
|
# fluent-plugin-splunk-hec
|
3
3
|
|
4
|
-
[Fluentd](https://fluentd.org/) output plugin to send events and metrics to [Splunk](https://www.splunk.com)
|
4
|
+
[Fluentd](https://fluentd.org/) output plugin to send events and metrics to [Splunk](https://www.splunk.com) in 2 modes:<br/>
|
5
|
+
1) Via Splunk's [HEC (HTTP Event Collector) API](http://dev.splunk.com/view/event-collector/SP-CAAAE7F)<br/>
|
6
|
+
2) Via the Splunk Cloud Services (SCS) [Ingest API](https://sdc.splunkbeta.com/reference/api/ingest/v1beta2)
|
5
7
|
|
6
8
|
## Installation
|
7
9
|
|
@@ -27,9 +29,7 @@ $ bundle
|
|
27
29
|
|
28
30
|
* See also: [Output Plugin Overview](https://docs.fluentd.org/v1.0/articles/output-plugin-overview)
|
29
31
|
|
30
|
-
|
31
|
-
|
32
|
-
#### Example 1: Minimum Configs
|
32
|
+
#### Example 1: Minimum HEC Configuration
|
33
33
|
|
34
34
|
```
|
35
35
|
<match **>
|
@@ -42,7 +42,26 @@ $ bundle
|
|
42
42
|
|
43
43
|
This example is very basic, it just tells the plugin to send events to Splunk HEC on `https://12.34.56.78:8088` (https is the default protocol), using the HEC token `00000000-0000-0000-0000-000000000000`. It will use whatever index, source, sourcetype are configured in HEC. And the `host` of each event is the hostname of the machine which running fluentd.
|
44
44
|
|
45
|
-
|
45
|
+
|
46
|
+
#### Example 2: SCS Ingest Configuration example
|
47
|
+
|
48
|
+
```
|
49
|
+
<match **>
|
50
|
+
@type splunk_ingest_api
|
51
|
+
service_client_identifier xxxxxxxx
|
52
|
+
service_client_secret_key xxxx-xxxxx
|
53
|
+
token_endpoint /token
|
54
|
+
ingest_auth_host auth.scp.splunk.com
|
55
|
+
ingest_api_host api.scp.splunk.com
|
56
|
+
ingest_api_tenant <mytenant>
|
57
|
+
ingest_api_events_endpoint /<mytenant>/ingest/v1beta2/events
|
58
|
+
debug_http false
|
59
|
+
</match>
|
60
|
+
```
|
61
|
+
|
62
|
+
This example shows the configuration to be used for sending events to ingest API. This configuration shows how to use `service_client_identifier`, `service_client_secret_key` to get token from `token_endpoint` and send events to `ingest_api_host` for the tenant `ingest_api_tenant` at the endpoint `ingest_api_events_endpoint`. The `debug_http` flag indicates whether the user wants to print debug logs to stdout.
|
63
|
+
|
64
|
+
#### Example 3: Overwrite HEC defaults
|
46
65
|
|
47
66
|
```
|
48
67
|
<match **>
|
@@ -72,21 +91,21 @@ Sometimes you want to use the values from the input event for these parameters,
|
|
72
91
|
</match>
|
73
92
|
```
|
74
93
|
|
75
|
-
In
|
94
|
+
In this example (in order to keep it concise, we just omitted the repeating parameters, and we will keep doing so in the following examples), it uses the `source_key` config to set the source of event to the value of the event's `file_path` field. Given an input event like
|
76
95
|
```javascript
|
77
96
|
{"file_path": "/var/log/splunk.log", "message": "This is an exmaple.", "level": "info"}
|
78
97
|
```
|
79
|
-
Then the source for this event will be "/var/log/splunk.log". And the "file\_path" field will be removed from the input event, so what you will eventually get ingested in Splunk is
|
98
|
+
Then the source for this event will be "/var/log/splunk.log". And the "file\_path" field will be removed from the input event, so what you will eventually get ingested in Splunk is:
|
80
99
|
```javascript
|
81
|
-
{"message": "This is an
|
100
|
+
{"message": "This is an example.", "level": "info"}
|
82
101
|
```
|
83
102
|
If you want to keep "file\_path" in the event, you can use `keep_keys`.
|
84
103
|
|
85
104
|
Besides `source_key` there are also other `*_key` parameters, check the parameters details below.
|
86
105
|
|
87
|
-
#### Example
|
106
|
+
#### Example 4: Sending metrics
|
88
107
|
|
89
|
-
[Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) is
|
108
|
+
[Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) is available since Splunk 7.0.0, you can use this output plugin to send events as metrics to a Splunk metric index by setting `data_type` to "metric".
|
90
109
|
|
91
110
|
```
|
92
111
|
<match **>
|
@@ -98,7 +117,7 @@ Besides `source_key` there are also other `*_key` parameters, check the paramete
|
|
98
117
|
</match>
|
99
118
|
```
|
100
119
|
|
101
|
-
With this configuration, the plugin will treat each input event as a collection of metrics, i.e. each key-
|
120
|
+
With this configuration, the plugin will treat each input event as a collection of metrics, i.e. each key-value pair in the event is a metric name-value pair. For example, given an input event like
|
102
121
|
|
103
122
|
```javascript
|
104
123
|
{"cpu/usage": 0.5, "cpu/rate": 10, "memory/usage": 100, "memory/rss": 90}
|
@@ -129,107 +148,142 @@ You should change the configuration to
|
|
129
148
|
|
130
149
|
All other properties of the input (in this example, "app"), will be sent as dimensions of the metric. You can use the `<fields>` section to customize the dimensions.
|
131
150
|
|
132
|
-
###
|
151
|
+
### Type of plugin
|
133
152
|
|
134
153
|
#### @type
|
135
154
|
|
136
|
-
This value must be `splunk_hec
|
137
|
-
|
138
|
-
#### protocol (enum) (optional)
|
155
|
+
This value must be set to `splunk_hec` when using HEC API and to `splunk_ingest_api` when using the ingest API. Only one type either `splunk_hec` or `splunk_ingest_api` is expected to be used when configuring this plugin.
|
139
156
|
|
140
|
-
|
157
|
+
### Parameters for `splunk_hec`
|
141
158
|
|
142
|
-
|
159
|
+
#### protocol (enum) (optional)
|
143
160
|
|
144
|
-
|
161
|
+
This is the protocol to use for calling the HEC API. Available values are: http, https. This parameter is
|
162
|
+
set to `https` by default.
|
145
163
|
|
146
164
|
### hec_host (string) (required)
|
147
165
|
|
148
|
-
The hostname/IP
|
166
|
+
The hostname/IP for the HEC token or the HEC load balancer.
|
149
167
|
|
150
168
|
### hec_port (integer) (optional)
|
151
169
|
|
152
|
-
The port number
|
153
|
-
|
154
|
-
Default value: `8088`.
|
170
|
+
The port number for the HEC token or the HEC load balancer. The default value is `8088`.
|
155
171
|
|
156
172
|
### hec_token (string) (required)
|
157
173
|
|
158
|
-
|
174
|
+
Identifier for the HEC token.
|
159
175
|
|
160
|
-
###
|
176
|
+
### metrics_from_event (bool) (optional)
|
161
177
|
|
162
|
-
|
178
|
+
When `data_type` is set to "metric", the ingest API will treat every key-value pair in the input event as a metric name-value pair. Set `metrics_from_event` to `false` to disable this behavior and use `metric_name_key` and `metric_value_key` to define metrics. The default value is `true`.
|
163
179
|
|
164
|
-
###
|
180
|
+
### metric_name_key (string) (optional)
|
165
181
|
|
166
|
-
Field name
|
182
|
+
Field name that contains the metric name. This parameter only works in conjunction with the `metrics_from_event` paramter. When this prameter is set, the `metrics_from_event` parameter is automatically set to `false`.
|
167
183
|
|
168
|
-
###
|
184
|
+
### metric_value_key (string) (optional)
|
169
185
|
|
170
|
-
|
186
|
+
Field name that contains the metric value, this parameter is required when `metric_name_key` is configured.
|
171
187
|
|
172
|
-
|
188
|
+
### coerce_to_utf8 (bool) (optional)
|
173
189
|
|
174
|
-
|
190
|
+
Indicates whether to allow non-UTF-8 characters in user logs. If set to `true`, any non-UTF-8 character is replaced by the string specified in `non_utf8_replacement_string`. If set to `false`, the Ingest API errors out any non-UTF-8 characters. This parameter is set to `true` by default.
|
175
191
|
|
176
|
-
|
192
|
+
### non_utf8_replacement_string (string) (optional)
|
177
193
|
|
178
|
-
|
194
|
+
If `coerce_to_utf8` is set to `true`, any non-UTF-8 character is replaced by the string you specify in this parameter. The parameter is set to `' '` by default.
|
179
195
|
|
180
|
-
|
196
|
+
### Parameters for `splunk_ingest_api`
|
181
197
|
|
182
|
-
###
|
198
|
+
### service_client_identifier: (optional) (string)
|
183
199
|
|
184
|
-
|
200
|
+
Splunk uses the client identifier to make authorized requests to the ingest API.
|
185
201
|
|
186
|
-
###
|
202
|
+
### service_client_secret_key: (string)
|
187
203
|
|
188
|
-
The
|
204
|
+
The client identifier uses this authorization to make requests to the ingest API.
|
189
205
|
|
190
|
-
###
|
206
|
+
### token_endpoint: (string)
|
191
207
|
|
192
|
-
|
208
|
+
This value indicates which endpoint Splunk should look to for the authorization token necessary for requests to the ingest API.
|
193
209
|
|
194
|
-
###
|
210
|
+
### ingest_api_host: (string)
|
195
211
|
|
196
|
-
|
212
|
+
Indicates which url/hostname to use for requests to the ingest API.
|
197
213
|
|
198
|
-
|
214
|
+
### ingest_api_tenant: (string)
|
199
215
|
|
200
|
-
|
216
|
+
Indicates which tenant Splunk should use for requests to the ingest API.
|
201
217
|
|
202
|
-
|
218
|
+
### ingest_api_events_endpoint: (string)
|
203
219
|
|
204
|
-
|
220
|
+
Indicates which endpoint to use for requests to the ingest API.
|
205
221
|
|
206
|
-
|
222
|
+
### debug_http: (bool)
|
223
|
+
Set to True if you want to debug requests and responses to ingest API. Default is false.
|
207
224
|
|
208
|
-
###
|
225
|
+
### Parameters for both `splunk_hec` and `splunk_ingest_api`
|
209
226
|
|
210
|
-
|
227
|
+
### index (string) (optional)
|
211
228
|
|
212
|
-
|
229
|
+
Identifier for the Splunk index to be used for indexing events. If this parameter is not set,
|
230
|
+
the indexer is chosen by HEC. Cannot set both `index` and `index_key` parameters at the same time.
|
213
231
|
|
214
|
-
###
|
232
|
+
### index_key (string) (optional)
|
233
|
+
|
234
|
+
The field name that contains the Splunk index name. Cannot set both `index` and `index_key` parameters at the same time.
|
215
235
|
|
216
|
-
|
236
|
+
### host (string) (optional)
|
217
237
|
|
218
|
-
|
238
|
+
The host location for events. Cannot set both `host` and `host_key` parameters at the same time.
|
239
|
+
If the parameter is not set, the default value is the hostname of the machine runnning fluentd.
|
219
240
|
|
220
|
-
###
|
241
|
+
### host_key (string) (optional)
|
242
|
+
|
243
|
+
Key for the host location. Cannot set both `host` and `host_key` parameters at the same time.
|
221
244
|
|
222
|
-
|
245
|
+
### source (string) (optional)
|
246
|
+
|
247
|
+
The source field for events. If this parameter is not set, the source will be decided by HEC.
|
248
|
+
Cannot set both `source` and `source_key` parameters at the same time.
|
249
|
+
|
250
|
+
### source_key (string) (optional)
|
251
|
+
|
252
|
+
Field name to contain source. Cannot set both `source` and `source_key` parameters at the same time.
|
253
|
+
|
254
|
+
### sourcetype (string) (optional)
|
223
255
|
|
224
|
-
|
256
|
+
The sourcetype field for events. When not set, the sourcetype is decided by HEC.
|
257
|
+
Cannot set both `source` and `source_key` parameters at the same time.
|
258
|
+
|
259
|
+
### sourcetype_key (string) (optional)
|
260
|
+
|
261
|
+
Field name that contains the sourcetype. Cannot set both `source` and `source_key` parameters at the same time.
|
262
|
+
|
263
|
+
### fields (init) (optional)
|
264
|
+
|
265
|
+
Lets you specify the index-time fields for the event data type, or metric dimensions for the metric data type. Null value fields are removed.
|
266
|
+
|
267
|
+
### keep_keys (boolean) (Optional)
|
268
|
+
|
269
|
+
By default, all the fields used by the `*_key` parameters are removed from the original input events. To change this behavior, set this parameter to `true`. This parameter is set to `false` by default.
|
270
|
+
When set to true, all fields defined in `index_key`, `host_key`, `source_key`, `sourcetype_key`, `metric_name_key`, and `metric_value_key` are saved in the original event.
|
225
271
|
|
226
272
|
### <fields> section (optional) (single)
|
227
273
|
|
228
|
-
Depending on the value of `data_type` parameter, the parameters inside `<fields>` section have different meanings. Despite the meaning, the syntax for parameters is unique.
|
274
|
+
Depending on the value of `data_type` parameter, the parameters inside the `<fields>` section have different meanings. Despite the meaning, the syntax for parameters is unique.
|
275
|
+
|
276
|
+
### app_name (string) (Optional)
|
277
|
+
|
278
|
+
Splunk app name using this plugin (default to `hec_plugin_gem`)
|
279
|
+
|
280
|
+
### app_version (string) (Optional)
|
281
|
+
|
282
|
+
The version of Splunk app using this this plugin (default to plugin version)
|
229
283
|
|
230
284
|
#### When `data_type` is `event`
|
231
285
|
|
232
|
-
In this case, parameters inside `<fields>`
|
286
|
+
In this case, parameters inside `<fields>` are used as indexed fields and removed from the original input events. Please see the "Add a "fields" property at the top JSON level" [here](http://dev.splunk.com/view/event-collector/SP-CAAAFB6) for details. Given we have configuration like
|
233
287
|
|
234
288
|
```
|
235
289
|
<match **>
|
@@ -273,7 +327,7 @@ If a parameter has just a key, it means its value is exactly the same as the key
|
|
273
327
|
|
274
328
|
#### When `data_type` is `metric`
|
275
329
|
|
276
|
-
For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>` is not presented, the original input event will be used as dimensions. If an empty `<fields></fields>` is presented, no dimension
|
330
|
+
For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>` is not presented, the original input event will be used as dimensions. If an empty `<fields></fields>` is presented, no dimension is sent. For example, given the following configuration:
|
277
331
|
|
278
332
|
```
|
279
333
|
<match **>
|
@@ -291,22 +345,22 @@ For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>`
|
|
291
345
|
</match>
|
292
346
|
```
|
293
347
|
|
294
|
-
and
|
348
|
+
and the following input event:
|
295
349
|
|
296
350
|
```javascript
|
297
351
|
{"application": "webServer", "file": "server.rb", "value": 100, "status": "OK", "message": "Normal", "name": "CPU Usage"}
|
298
352
|
```
|
299
353
|
|
300
|
-
Then, a metric of "CPU Usage" with value=100, along with 3 dimensions file="server.rb", status="OK", and app="webServer"
|
354
|
+
Then, a metric of "CPU Usage" with value=100, along with 3 dimensions file="server.rb", status="OK", and app="webServer" are sent to Splunk.
|
301
355
|
|
302
356
|
### <format> section (optional) (multiple)
|
303
357
|
|
304
|
-
The `<format>` section let
|
358
|
+
The `<format>` section let you define which formatter to use to format events.
|
305
359
|
By default, it uses [the `json` formatter](https://docs.fluentd.org/v1.0/articles/formatter_jso://docs.fluentd.org/v1.0/articles/formatter_json).
|
306
360
|
|
307
|
-
Besides the `@type` parameter, you should define
|
361
|
+
Besides the `@type` parameter, you should define the other parameters for the formatter inside this section.
|
308
362
|
|
309
|
-
Multiple `<format>` sections can be defined to use different formatters for different tags. Each `<format>` section accepts an argument just like the `<match>` section does
|
363
|
+
Multiple `<format>` sections can be defined to use different formatters for different tags. Each `<format>` section accepts an argument just like the `<match>` section does to define tag matching. By default, every event is formatted with `json`. For example:
|
310
364
|
|
311
365
|
```
|
312
366
|
<match **>
|
@@ -324,34 +378,35 @@ Multiple `<format>` sections can be defined to use different formatters for diff
|
|
324
378
|
</format>
|
325
379
|
```
|
326
380
|
|
327
|
-
|
381
|
+
This example:
|
382
|
+
- Formats events with tags that start with `sometag.` with the `single_value` formatter
|
383
|
+
- Formats events with tags `some.othertag` with the `csv` formatter
|
384
|
+
- Formats all other events with the `json` formatter (the default formatter)
|
328
385
|
|
329
386
|
If you want to use a different default formatter, you can add a `<format **>` (or `<format>`) section.
|
330
387
|
|
331
388
|
#### @type (string) (required)
|
332
389
|
|
333
|
-
|
390
|
+
Specifies which formatter to use.
|
334
391
|
|
335
392
|
### Net::HTTP::Persistent parameters (optional)
|
336
393
|
|
337
|
-
The following parameters can be used for tuning HTTP connections
|
394
|
+
The following parameters can be used for tuning HTTP connections:
|
338
395
|
|
339
396
|
#### idle_timeout (integer)
|
340
397
|
|
341
|
-
The default is
|
398
|
+
The default is five seconds. If a connection has not been used for five seconds, it is automatically reset at next use, in order to avoid attempting to send to a closed connection. Specifiy `nil` to prohibit any timeouts.
|
342
399
|
|
343
400
|
#### read_timeout (integer)
|
344
|
-
|
345
|
-
The default is nil. The amount of time allowed between reading two chunks from the socket.
|
401
|
+
The amount of time allowed between reading two chunks from the socket. The default value is `nil`, which means no timeout.
|
346
402
|
|
347
403
|
#### open_timeout (integer)
|
348
404
|
|
349
|
-
The
|
405
|
+
The amount of time to wait for a connection to be opened. The default is `nil`, which means no timeout.
|
350
406
|
|
351
407
|
### SSL parameters
|
352
408
|
|
353
|
-
|
354
|
-
All these parameters are optional.
|
409
|
+
The following optional parameters let you configure SSL for HTTPS protocol.
|
355
410
|
|
356
411
|
#### client_cert (string)
|
357
412
|
|
@@ -375,9 +430,7 @@ List of SSl ciphers allowed.
|
|
375
430
|
|
376
431
|
#### insecure_ssl (bool)
|
377
432
|
|
378
|
-
|
379
|
-
|
380
|
-
Default value: `false`.
|
433
|
+
Specifies whether an insecure SSL connection is allowed. If set to false, Splunk does not verify an insecure server certificate. This parameter is set to `false` by default. Ensure parameter `ca_file` is not configured in order to allow insecure SSL connections when this value is set to `true`.
|
381
434
|
|
382
435
|
## About Buffer
|
383
436
|
|
@@ -392,4 +445,4 @@ Here are some hints:
|
|
392
445
|
|
393
446
|
## License
|
394
447
|
|
395
|
-
Please see [LICENSE](LICENSE).
|
448
|
+
Please see [LICENSE](LICENSE).
|