fluent-plugin-splunk-hec 1.1.2 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +2 -0
- data/Gemfile.lock +125 -14
- data/README.md +136 -74
- data/Rakefile +6 -1
- data/VERSION +1 -1
- data/fluent-plugin-splunk-hec.gemspec +9 -3
- data/lib/fluent/plugin/out_splunk.rb +313 -0
- data/lib/fluent/plugin/{out_splunk_hec → out_splunk}/match_formatter.rb +5 -3
- data/lib/fluent/plugin/out_splunk/version.rb +3 -0
- data/lib/fluent/plugin/out_splunk_hec.rb +130 -190
- data/lib/fluent/plugin/out_splunk_hec/version.rb +2 -0
- data/lib/fluent/plugin/out_splunk_ingest_api.rb +109 -0
- data/test/fluent/plugin/out_splunk_hec_test.rb +232 -221
- data/test/fluent/plugin/out_splunk_ingest_api_test.rb +244 -0
- data/test/test_helper.rb +10 -7
- metadata +82 -23
- data/test/lib/webmock/http_lib_adapters/httpclient_adapter.rb +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5d3a2f11d9a4a81af516b66534c533a87ac2333deb62db605d3600ae3d4c6138
|
4
|
+
data.tar.gz: 4d62b7be1185257cea93eba96cb2ca8f5c4a7b6ad9f2f04bc8355cd9039f1c6e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 47c0f04fa3c7040c3f1f02f5555e4dbb6cdf15a8d62bbb709058b8f641a8e6c304f3294cd2349dbac288c0bcd2723338d33b5e6424f57076106b87bc82e7281c
|
7
|
+
data.tar.gz: 0f59b7a77013c4aaca16693e8852bffc990be1cb2be088ebdb03f639bfec1e3277d5e402ed4809a6b965355dba97df99e62fcf828857946de89afb58a0ef7734
|
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,22 +1,44 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
fluent-plugin-splunk-hec (1.
|
5
|
-
|
4
|
+
fluent-plugin-splunk-hec (1.2.0)
|
5
|
+
fluent-plugin-kubernetes_metadata_filter (= 2.1.2)
|
6
|
+
fluentd (= 1.4)
|
6
7
|
multi_json (~> 1.13)
|
7
8
|
net-http-persistent (~> 3.0)
|
9
|
+
openid_connect (~> 1.1.6)
|
10
|
+
prometheus-client (~> 0.9.0)
|
8
11
|
|
9
12
|
GEM
|
10
13
|
remote: https://rubygems.org/
|
11
14
|
specs:
|
15
|
+
activemodel (6.0.0)
|
16
|
+
activesupport (= 6.0.0)
|
17
|
+
activesupport (6.0.0)
|
18
|
+
concurrent-ruby (~> 1.0, >= 1.0.2)
|
19
|
+
i18n (>= 0.7, < 2)
|
20
|
+
minitest (~> 5.1)
|
21
|
+
tzinfo (~> 1.1)
|
22
|
+
zeitwerk (~> 2.1, >= 2.1.8)
|
12
23
|
addressable (2.6.0)
|
13
24
|
public_suffix (>= 2.0.2, < 4.0)
|
25
|
+
aes_key_wrap (1.0.1)
|
26
|
+
ast (2.4.0)
|
27
|
+
attr_required (1.0.1)
|
28
|
+
bindata (2.4.4)
|
29
|
+
concurrent-ruby (1.1.5)
|
14
30
|
connection_pool (2.2.2)
|
15
|
-
cool.io (1.5.
|
31
|
+
cool.io (1.5.4)
|
16
32
|
crack (0.4.3)
|
17
33
|
safe_yaml (~> 1.0.0)
|
18
34
|
dig_rb (1.0.1)
|
19
35
|
docile (1.3.1)
|
36
|
+
domain_name (0.5.20190701)
|
37
|
+
unf (>= 0.0.5, < 1.0.0)
|
38
|
+
fluent-plugin-kubernetes_metadata_filter (2.1.2)
|
39
|
+
fluentd (>= 0.14.0, < 2)
|
40
|
+
kubeclient (~> 1.1.4)
|
41
|
+
lru_redux
|
20
42
|
fluentd (1.4.0)
|
21
43
|
cool.io (>= 1.4.5, < 2.0.0)
|
22
44
|
dig_rb (~> 1.0.0)
|
@@ -28,19 +50,89 @@ GEM
|
|
28
50
|
tzinfo (~> 1.0)
|
29
51
|
tzinfo-data (~> 1.0)
|
30
52
|
yajl-ruby (~> 1.0)
|
31
|
-
hashdiff (0.
|
53
|
+
hashdiff (0.4.0)
|
54
|
+
http (0.9.8)
|
55
|
+
addressable (~> 2.3)
|
56
|
+
http-cookie (~> 1.0)
|
57
|
+
http-form_data (~> 1.0.1)
|
58
|
+
http_parser.rb (~> 0.6.0)
|
59
|
+
http-accept (1.7.0)
|
60
|
+
http-cookie (1.0.3)
|
61
|
+
domain_name (~> 0.5)
|
62
|
+
http-form_data (1.0.3)
|
32
63
|
http_parser.rb (0.6.0)
|
64
|
+
httpclient (2.8.3)
|
65
|
+
i18n (1.7.0)
|
66
|
+
concurrent-ruby (~> 1.0)
|
67
|
+
jaro_winkler (1.5.2)
|
33
68
|
json (2.1.0)
|
69
|
+
json-jwt (1.10.2)
|
70
|
+
activesupport (>= 4.2)
|
71
|
+
aes_key_wrap
|
72
|
+
bindata
|
73
|
+
kubeclient (1.1.4)
|
74
|
+
activesupport
|
75
|
+
http (= 0.9.8)
|
76
|
+
recursive-open-struct (= 1.0.0)
|
77
|
+
rest-client
|
78
|
+
lru_redux (1.1.0)
|
79
|
+
mail (2.7.1)
|
80
|
+
mini_mime (>= 0.1.1)
|
81
|
+
mime-types (3.3)
|
82
|
+
mime-types-data (~> 3.2015)
|
83
|
+
mime-types-data (3.2019.1009)
|
84
|
+
mini_mime (1.0.2)
|
34
85
|
minitest (5.11.3)
|
35
|
-
msgpack (1.
|
36
|
-
multi_json (1.
|
37
|
-
net-http-persistent (3.
|
86
|
+
msgpack (1.3.1)
|
87
|
+
multi_json (1.14.1)
|
88
|
+
net-http-persistent (3.1.0)
|
38
89
|
connection_pool (~> 2.2)
|
39
|
-
|
40
|
-
|
90
|
+
netrc (0.11.0)
|
91
|
+
openid_connect (1.1.8)
|
92
|
+
activemodel
|
93
|
+
attr_required (>= 1.0.0)
|
94
|
+
json-jwt (>= 1.5.0)
|
95
|
+
rack-oauth2 (>= 1.6.1)
|
96
|
+
swd (>= 1.0.0)
|
97
|
+
tzinfo
|
98
|
+
validate_email
|
99
|
+
validate_url
|
100
|
+
webfinger (>= 1.0.1)
|
101
|
+
parallel (1.13.0)
|
102
|
+
parser (2.6.0.0)
|
103
|
+
ast (~> 2.4.0)
|
104
|
+
power_assert (1.1.4)
|
105
|
+
powerpack (0.1.2)
|
106
|
+
prometheus-client (0.9.0)
|
107
|
+
quantile (~> 0.2.1)
|
108
|
+
public_suffix (3.1.1)
|
109
|
+
quantile (0.2.1)
|
110
|
+
rack (2.0.7)
|
111
|
+
rack-oauth2 (1.10.0)
|
112
|
+
activesupport
|
113
|
+
attr_required
|
114
|
+
httpclient
|
115
|
+
json-jwt (>= 1.9.0)
|
116
|
+
rack
|
117
|
+
rainbow (3.0.0)
|
41
118
|
rake (12.3.2)
|
42
|
-
|
43
|
-
|
119
|
+
recursive-open-struct (1.0.0)
|
120
|
+
rest-client (2.1.0)
|
121
|
+
http-accept (>= 1.7.0, < 2.0)
|
122
|
+
http-cookie (>= 1.0.2, < 2.0)
|
123
|
+
mime-types (>= 1.16, < 4.0)
|
124
|
+
netrc (~> 0.8)
|
125
|
+
rubocop (0.63.1)
|
126
|
+
jaro_winkler (~> 1.5.1)
|
127
|
+
parallel (~> 1.10)
|
128
|
+
parser (>= 2.5, != 2.5.1.1)
|
129
|
+
powerpack (~> 0.1)
|
130
|
+
rainbow (>= 2.2.2, < 4.0)
|
131
|
+
ruby-progressbar (~> 1.7)
|
132
|
+
unicode-display_width (~> 1.4.0)
|
133
|
+
ruby-progressbar (1.10.0)
|
134
|
+
safe_yaml (1.0.5)
|
135
|
+
serverengine (2.1.1)
|
44
136
|
sigdump (~> 0.2.2)
|
45
137
|
sigdump (0.2.4)
|
46
138
|
simplecov (0.16.1)
|
@@ -49,18 +141,36 @@ GEM
|
|
49
141
|
simplecov-html (~> 0.10.0)
|
50
142
|
simplecov-html (0.10.2)
|
51
143
|
strptime (0.2.3)
|
52
|
-
|
144
|
+
swd (1.1.2)
|
145
|
+
activesupport (>= 3)
|
146
|
+
attr_required (>= 0.0.5)
|
147
|
+
httpclient (>= 2.4)
|
148
|
+
test-unit (3.3.3)
|
53
149
|
power_assert
|
54
150
|
thread_safe (0.3.6)
|
55
151
|
tzinfo (1.2.5)
|
56
152
|
thread_safe (~> 0.1)
|
57
|
-
tzinfo-data (1.
|
153
|
+
tzinfo-data (1.2019.3)
|
58
154
|
tzinfo (>= 1.0.0)
|
155
|
+
unf (0.1.4)
|
156
|
+
unf_ext
|
157
|
+
unf_ext (0.0.7.6)
|
158
|
+
unicode-display_width (1.4.1)
|
159
|
+
validate_email (0.1.6)
|
160
|
+
activemodel (>= 3.0)
|
161
|
+
mail (>= 2.2.5)
|
162
|
+
validate_url (1.0.8)
|
163
|
+
activemodel (>= 3.0.0)
|
164
|
+
public_suffix
|
165
|
+
webfinger (1.1.0)
|
166
|
+
activesupport
|
167
|
+
httpclient (>= 2.4)
|
59
168
|
webmock (3.5.1)
|
60
169
|
addressable (>= 2.3.6)
|
61
170
|
crack (>= 0.3.2)
|
62
171
|
hashdiff
|
63
172
|
yajl-ruby (1.4.1)
|
173
|
+
zeitwerk (2.2.0)
|
64
174
|
|
65
175
|
PLATFORMS
|
66
176
|
ruby
|
@@ -70,9 +180,10 @@ DEPENDENCIES
|
|
70
180
|
fluent-plugin-splunk-hec!
|
71
181
|
minitest (~> 5.0)
|
72
182
|
rake (~> 12.0)
|
183
|
+
rubocop (~> 0.63.1)
|
73
184
|
simplecov
|
74
185
|
test-unit (~> 3.0)
|
75
186
|
webmock (~> 3.5.0)
|
76
187
|
|
77
188
|
BUNDLED WITH
|
78
|
-
2.0.
|
189
|
+
2.0.2
|
data/README.md
CHANGED
@@ -1,12 +1,14 @@
|
|
1
1
|
[![CircleCI](https://circleci.com/gh/git-lfs/git-lfs.svg?style=shield&circle-token=856152c2b02bfd236f54d21e1f581f3e4ebf47ad)](https://circleci.com/gh/splunk/fluent-plugin-splunk-hec)
|
2
2
|
# fluent-plugin-splunk-hec
|
3
3
|
|
4
|
-
[Fluentd](https://fluentd.org/) output plugin to send events and metrics to [Splunk](https://www.splunk.com)
|
4
|
+
[Fluentd](https://fluentd.org/) output plugin to send events and metrics to [Splunk](https://www.splunk.com) in 2 modes:<br/>
|
5
|
+
1) Via Splunk's [HEC (HTTP Event Collector) API](http://dev.splunk.com/view/event-collector/SP-CAAAE7F)<br/>
|
6
|
+
2) Via the [Splunk Ingest API](https://sdc.splunkbeta.com/reference/api/ingest/v1beta2)
|
5
7
|
|
6
8
|
## Installation
|
7
9
|
|
8
10
|
### RubyGems
|
9
|
-
```
|
11
|
+
```
|
10
12
|
$ gem install fluent-plugin-splunk-hec
|
11
13
|
```
|
12
14
|
### Bundler
|
@@ -27,9 +29,7 @@ $ bundle
|
|
27
29
|
|
28
30
|
* See also: [Output Plugin Overview](https://docs.fluentd.org/v1.0/articles/output-plugin-overview)
|
29
31
|
|
30
|
-
|
31
|
-
|
32
|
-
#### Example 1: Minimum Configs
|
32
|
+
#### Example 1: Minimum Configuration
|
33
33
|
|
34
34
|
```
|
35
35
|
<match **>
|
@@ -42,7 +42,25 @@ $ bundle
|
|
42
42
|
|
43
43
|
This example is very basic, it just tells the plugin to send events to Splunk HEC on `https://12.34.56.78:8088` (https is the default protocol), using the HEC token `00000000-0000-0000-0000-000000000000`. It will use whatever index, source, sourcetype are configured in HEC. And the `host` of each event is the hostname of the machine which running fluentd.
|
44
44
|
|
45
|
-
|
45
|
+
|
46
|
+
#### Example 2: Configuration example
|
47
|
+
|
48
|
+
```
|
49
|
+
<match **>
|
50
|
+
@type splunk_ingest_api
|
51
|
+
service_client_identifier xxxxxxxx
|
52
|
+
service_client_secret_key xxxx-xxxxx
|
53
|
+
token_endpoint /system/identity/v2beta1/token
|
54
|
+
ingest_api_host api.url.splunk.com
|
55
|
+
ingest_api_tenant mytenant
|
56
|
+
ingest_api_events_endpoint /ingest/mybuild/events
|
57
|
+
debug_http false
|
58
|
+
</match>
|
59
|
+
```
|
60
|
+
|
61
|
+
This example shows the configuration to be used for sending events to ingest API. This configuration shows how to use `service_client_identifier`, `service_client_secret_key` to get token from `token_endpoint` and send events to `ingest_api_host` for the tenant `ingest_api_tenant` at the endpoint `ingest_api_events_endpoint`. The `debug_http` flag indicates whether the user wants to print debug logs to stdout.
|
62
|
+
|
63
|
+
#### Example 3: Overwrite HEC defaults
|
46
64
|
|
47
65
|
```
|
48
66
|
<match **>
|
@@ -72,21 +90,21 @@ Sometimes you want to use the values from the input event for these parameters,
|
|
72
90
|
</match>
|
73
91
|
```
|
74
92
|
|
75
|
-
In
|
93
|
+
In this example (in order to keep it concise, we just omitted the repeating parameters, and we will keep doing so in the following examples), it uses the `source_key` config to set the source of event to the value of the event's `file_path` field. Given an input event like
|
76
94
|
```javascript
|
77
95
|
{"file_path": "/var/log/splunk.log", "message": "This is an exmaple.", "level": "info"}
|
78
96
|
```
|
79
|
-
Then the source for this event will be "/var/log/splunk.log". And the "file\_path" field will be removed from the input event, so what you will eventually get ingested in Splunk is
|
97
|
+
Then the source for this event will be "/var/log/splunk.log". And the "file\_path" field will be removed from the input event, so what you will eventually get ingested in Splunk is:
|
80
98
|
```javascript
|
81
|
-
{"message": "This is an
|
99
|
+
{"message": "This is an example.", "level": "info"}
|
82
100
|
```
|
83
101
|
If you want to keep "file\_path" in the event, you can use `keep_keys`.
|
84
102
|
|
85
103
|
Besides `source_key` there are also other `*_key` parameters, check the parameters details below.
|
86
104
|
|
87
|
-
#### Example
|
105
|
+
#### Example 4: Sending metrics
|
88
106
|
|
89
|
-
[Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) is
|
107
|
+
[Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) is available since Splunk 7.0.0, you can use this output plugin to send events as metrics to a Splunk metric index by setting `data_type` to "metric".
|
90
108
|
|
91
109
|
```
|
92
110
|
<match **>
|
@@ -98,7 +116,7 @@ Besides `source_key` there are also other `*_key` parameters, check the paramete
|
|
98
116
|
</match>
|
99
117
|
```
|
100
118
|
|
101
|
-
With this configuration, the plugin will treat each input event as a collection of metrics, i.e. each key-
|
119
|
+
With this configuration, the plugin will treat each input event as a collection of metrics, i.e. each key-value pair in the event is a metric name-value pair. For example, given an input event like
|
102
120
|
|
103
121
|
```javascript
|
104
122
|
{"cpu/usage": 0.5, "cpu/rate": 10, "memory/usage": 100, "memory/rss": 90}
|
@@ -129,107 +147,136 @@ You should change the configuration to
|
|
129
147
|
|
130
148
|
All other properties of the input (in this example, "app"), will be sent as dimensions of the metric. You can use the `<fields>` section to customize the dimensions.
|
131
149
|
|
132
|
-
###
|
150
|
+
### Type of plugin
|
133
151
|
|
134
152
|
#### @type
|
135
153
|
|
136
|
-
This value must be `splunk_hec
|
137
|
-
|
138
|
-
#### protocol (enum) (optional)
|
154
|
+
This value must be set to `splunk_hec` when using HEC API and to `splunk_ingest_api` when using the ingest API. Only one type either `splunk_hec` or `splunk_ingest_api` is expected to be used when configuring this plugin.
|
139
155
|
|
140
|
-
|
156
|
+
### Parameters for `splunk_hec`
|
141
157
|
|
142
|
-
|
158
|
+
#### protocol (enum) (optional)
|
143
159
|
|
144
|
-
|
160
|
+
This is the protocol to use for calling the HEC API. Available values are: http, https. This parameter is
|
161
|
+
set to `https` by default.
|
145
162
|
|
146
163
|
### hec_host (string) (required)
|
147
164
|
|
148
|
-
The hostname/IP
|
165
|
+
The hostname/IP for the HEC token or the HEC load balancer.
|
149
166
|
|
150
167
|
### hec_port (integer) (optional)
|
151
168
|
|
152
|
-
The port number
|
153
|
-
|
154
|
-
Default value: `8088`.
|
169
|
+
The port number for the HEC token or the HEC load balancer. The default value is `8088`.
|
155
170
|
|
156
171
|
### hec_token (string) (required)
|
157
172
|
|
158
|
-
|
173
|
+
Identifier for the HEC token.
|
159
174
|
|
160
|
-
###
|
175
|
+
### metrics_from_event (bool) (optional)
|
161
176
|
|
162
|
-
|
177
|
+
When `data_type` is set to "metric", the ingest API will treat every key-value pair in the input event as a metric name-value pair. Set `metrics_from_event` to `false` to disable this behavior and use `metric_name_key` and `metric_value_key` to define metrics. The default value is `true`.
|
163
178
|
|
164
|
-
###
|
179
|
+
### metric_name_key (string) (optional)
|
165
180
|
|
166
|
-
Field name
|
181
|
+
Field name that contains the metric name. This parameter only works in conjunction with the `metrics_from_event` paramter. When this prameter is set, the `metrics_from_event` parameter is automatically set to `false`.
|
167
182
|
|
168
|
-
###
|
183
|
+
### metric_value_key (string) (optional)
|
169
184
|
|
170
|
-
|
185
|
+
Field name that contains the metric value, this parameter is required when `metric_name_key` is configured.
|
171
186
|
|
172
|
-
|
187
|
+
### coerce_to_utf8 (bool) (optional)
|
173
188
|
|
174
|
-
|
189
|
+
Indicates whether to allow non-UTF-8 characters in user logs. If set to `true`, any non-UTF-8 character is replaced by the string specified in `non_utf8_replacement_string`. If set to `false`, the Ingest API errors out any non-UTF-8 characters. This parameter is set to `true` by default.
|
175
190
|
|
176
|
-
|
191
|
+
### non_utf8_replacement_string (string) (optional)
|
177
192
|
|
178
|
-
|
193
|
+
If `coerce_to_utf8` is set to `true`, any non-UTF-8 character is replaced by the string you specify in this parameter. The parameter is set to `' '` by default.
|
179
194
|
|
180
|
-
|
195
|
+
### Parameters for `splunk_ingest_api`
|
181
196
|
|
182
|
-
###
|
197
|
+
### service_client_identifier: (optional) (string)
|
183
198
|
|
184
|
-
|
199
|
+
Splunk uses the client identifier to make authorized requests to the ingest API.
|
185
200
|
|
186
|
-
###
|
201
|
+
### service_client_secret_key: (string)
|
187
202
|
|
188
|
-
The
|
203
|
+
The client identifier uses this authorization to make requests to the ingest API.
|
189
204
|
|
190
|
-
###
|
205
|
+
### token_endpoint: (string)
|
191
206
|
|
192
|
-
|
207
|
+
This value indicates which endpoint Splunk should look to for the authorization token necessary for requests to the ingest API.
|
193
208
|
|
194
|
-
###
|
209
|
+
### ingest_api_host: (string)
|
195
210
|
|
196
|
-
|
211
|
+
Indicates which url/hostname to use for requests to the ingest API.
|
197
212
|
|
198
|
-
|
213
|
+
### ingest_api_tenant: (string)
|
199
214
|
|
200
|
-
|
215
|
+
Indicates which tenant Splunk should use for requests to the ingest API.
|
201
216
|
|
202
|
-
|
217
|
+
### ingest_api_events_endpoint: (string)
|
203
218
|
|
204
|
-
|
219
|
+
Indicates which endpoint to use for requests to the ingest API.
|
205
220
|
|
206
|
-
|
221
|
+
### debug_http: (bool)
|
222
|
+
Set to True if you want to debug requests and responses to ingest API. Default is false.
|
207
223
|
|
208
|
-
###
|
224
|
+
### Parameters for both `splunk_hec` and `splunk_ingest_api`
|
209
225
|
|
210
|
-
|
226
|
+
### index (string) (optional)
|
211
227
|
|
212
|
-
|
228
|
+
Identifier for the Splunk index to be used for indexing events. If this parameter is not set,
|
229
|
+
the indexer is chosen by HEC. This parameter only works in conjunction with the `index_key` parameter.
|
213
230
|
|
214
|
-
###
|
231
|
+
### index_key (string) (optional)
|
215
232
|
|
216
|
-
|
233
|
+
The field name that contains the Splunk index name. This parameter works in conjunction with `index` and will
|
234
|
+
not work if the `index` parameter is not set.
|
217
235
|
|
218
|
-
|
236
|
+
### host (string) (optional)
|
219
237
|
|
220
|
-
|
238
|
+
The host location for events. This parameter only works in conjunction with the `host_key` parameter.
|
239
|
+
If the parameter is not set, the default value is the hostname of the machine runnning fluentd.
|
240
|
+
|
241
|
+
### host_key (string) (optional)
|
242
|
+
|
243
|
+
Key for the host location. This parameter only works in conjunction with the `host` parameter. If the `host`
|
244
|
+
parameter is not set, this parameter is ignored.
|
245
|
+
|
246
|
+
### source (string) (optional)
|
247
|
+
|
248
|
+
The source field for events. If this parameter is not set, the source will be decided by HEC. This
|
249
|
+
parameter only works in conjunction with the `source_key` parameter.
|
250
|
+
|
251
|
+
### source_key (string) (optional)
|
252
|
+
|
253
|
+
Field name to contain source. This parameter only works in conjunction with the `source` parameter.
|
254
|
+
|
255
|
+
### sourcetype (string) (optional)
|
256
|
+
|
257
|
+
The sourcetype field for events. When not set, the sourcetype is decided by HEC. This parameter only works in
|
258
|
+
conjunction with the `sourcetype_key` parameter.
|
259
|
+
|
260
|
+
### sourcetype_key (string) (optional)
|
221
261
|
|
222
|
-
|
262
|
+
Field name that contains the sourcetype. This parameter only works in conjunction with the `sourcetype` parameter.
|
223
263
|
|
224
|
-
|
264
|
+
### fields (init) (optional)
|
265
|
+
|
266
|
+
Lets you specify the index-time fields for the event data type, or metric dimensions for the metric data type. Null value fields are removed.
|
267
|
+
|
268
|
+
### keep_keys (boolean) (Optional)
|
269
|
+
|
270
|
+
By default, all the fields used by the `*_key` parameters are removed from the original input events. To change this behavior, set this parameter to `true`. This parameter is set to `false` by default.
|
271
|
+
When set to true, all fields defined in `index_key`, `host_key`, `source_key`, `sourcetype_key`, `metric_name_key`, and `metric_value_key` are saved in the original event.
|
225
272
|
|
226
273
|
### <fields> section (optional) (single)
|
227
274
|
|
228
|
-
Depending on the value of `data_type` parameter, the parameters inside `<fields>` section have different meanings. Despite the meaning, the syntax for parameters is unique.
|
275
|
+
Depending on the value of `data_type` parameter, the parameters inside the `<fields>` section have different meanings. Despite the meaning, the syntax for parameters is unique.
|
229
276
|
|
230
277
|
#### When `data_type` is `event`
|
231
278
|
|
232
|
-
In this case, parameters inside `<fields>`
|
279
|
+
In this case, parameters inside `<fields>` are used as indexed fields and removed from the original input events. Please see the "Add a "fields" property at the top JSON level" [here](http://dev.splunk.com/view/event-collector/SP-CAAAFB6) for details. Given we have configuration like
|
233
280
|
|
234
281
|
```
|
235
282
|
<match **>
|
@@ -273,7 +320,7 @@ If a parameter has just a key, it means its value is exactly the same as the key
|
|
273
320
|
|
274
321
|
#### When `data_type` is `metric`
|
275
322
|
|
276
|
-
For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>` is not presented, the original input event will be used as dimensions. If an empty `<fields></fields>` is presented, no dimension
|
323
|
+
For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>` is not presented, the original input event will be used as dimensions. If an empty `<fields></fields>` is presented, no dimension is sent. For example, given the following configuration:
|
277
324
|
|
278
325
|
```
|
279
326
|
<match **>
|
@@ -291,22 +338,22 @@ For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>`
|
|
291
338
|
</match>
|
292
339
|
```
|
293
340
|
|
294
|
-
and
|
341
|
+
and the following input event:
|
295
342
|
|
296
343
|
```javascript
|
297
344
|
{"application": "webServer", "file": "server.rb", "value": 100, "status": "OK", "message": "Normal", "name": "CPU Usage"}
|
298
345
|
```
|
299
346
|
|
300
|
-
Then, a metric of "CPU Usage" with value=100, along with 3 dimensions file="server.rb", status="OK", and app="webServer"
|
347
|
+
Then, a metric of "CPU Usage" with value=100, along with 3 dimensions file="server.rb", status="OK", and app="webServer" are sent to Splunk.
|
301
348
|
|
302
349
|
### <format> section (optional) (multiple)
|
303
350
|
|
304
|
-
The `<format>` section let
|
351
|
+
The `<format>` section let you define which formatter to use to format events.
|
305
352
|
By default, it uses [the `json` formatter](https://docs.fluentd.org/v1.0/articles/formatter_jso://docs.fluentd.org/v1.0/articles/formatter_json).
|
306
353
|
|
307
|
-
Besides the `@type` parameter, you should define
|
354
|
+
Besides the `@type` parameter, you should define the other parameters for the formatter inside this section.
|
308
355
|
|
309
|
-
Multiple `<format>` sections can be defined to use different formatters for different tags. Each `<format>` section accepts an argument just like the `<match>` section does
|
356
|
+
Multiple `<format>` sections can be defined to use different formatters for different tags. Each `<format>` section accepts an argument just like the `<match>` section does to define tag matching. By default, every event is formatted with `json`. For example:
|
310
357
|
|
311
358
|
```
|
312
359
|
<match **>
|
@@ -324,13 +371,31 @@ Multiple `<format>` sections can be defined to use different formatters for diff
|
|
324
371
|
</format>
|
325
372
|
```
|
326
373
|
|
327
|
-
|
374
|
+
This example:
|
375
|
+
- Formats events with tags that start with `sometag.` with the `single_value` formatter
|
376
|
+
- Formats events with tags `some.othertag` with the `csv` formatter
|
377
|
+
- Formats all other events with the `json` formatter (the default formatter)
|
328
378
|
|
329
379
|
If you want to use a different default formatter, you can add a `<format **>` (or `<format>`) section.
|
330
380
|
|
331
381
|
#### @type (string) (required)
|
332
382
|
|
333
|
-
|
383
|
+
Specifies which formatter to use.
|
384
|
+
|
385
|
+
### Net::HTTP::Persistent parameters (optional)
|
386
|
+
|
387
|
+
The following parameters can be used for tuning HTTP connections:
|
388
|
+
|
389
|
+
#### idle_timeout (integer)
|
390
|
+
|
391
|
+
The default is five seconds. If a connection has not been used for five seconds, it is automatically reset at next use, in order to avoid attempting to send to a closed connection. Specifiy `nil` to prohibit any timeouts.
|
392
|
+
|
393
|
+
#### read_timeout (integer)
|
394
|
+
The amount of time allowed between reading two chunks from the socket. The default value is `nil`, which means no timeout.
|
395
|
+
|
396
|
+
#### open_timeout (integer)
|
397
|
+
|
398
|
+
The amount of time to wait for a connection to be opened. The default is `nil`, which means no timeout.
|
334
399
|
|
335
400
|
### Net::HTTP::Persistent parameters (optional)
|
336
401
|
|
@@ -338,7 +403,7 @@ The following parameters can be used for tuning HTTP connections
|
|
338
403
|
|
339
404
|
#### idle_timeout (integer)
|
340
405
|
|
341
|
-
The default is 5 seconds. If a connection has not been used for this number of seconds it will automatically be reset upon the next use to avoid attempting to send to a closed connection; nil means no timeout.
|
406
|
+
The default is 5 seconds. If a connection has not been used for this number of seconds it will automatically be reset upon the next use to avoid attempting to send to a closed connection; nil means no timeout.
|
342
407
|
|
343
408
|
#### read_timeout (integer)
|
344
409
|
|
@@ -350,8 +415,7 @@ The default is nil. The amount of time to wait for a connection to be opened.
|
|
350
415
|
|
351
416
|
### SSL parameters
|
352
417
|
|
353
|
-
|
354
|
-
All these parameters are optional.
|
418
|
+
The following optional parameters let you configure SSL for HTTPS protocol.
|
355
419
|
|
356
420
|
#### client_cert (string)
|
357
421
|
|
@@ -375,9 +439,7 @@ List of SSl ciphers allowed.
|
|
375
439
|
|
376
440
|
#### insecure_ssl (bool)
|
377
441
|
|
378
|
-
|
379
|
-
|
380
|
-
Default value: `false`.
|
442
|
+
Specifies whether an insecure SSL connection is allowed. If set to false, Splunk does not verify an insecure server certificate. This parameter is set to `false` by default.
|
381
443
|
|
382
444
|
## About Buffer
|
383
445
|
|
@@ -392,4 +454,4 @@ Here are some hints:
|
|
392
454
|
|
393
455
|
## License
|
394
456
|
|
395
|
-
Please see [LICENSE](LICENSE).
|
457
|
+
Please see [LICENSE](LICENSE).
|