fluent-plugin-splunkapi-ssln 0.0.1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in fluent-plugin-splunk.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,18 @@
+Copyright (C) 2013 Keisuke Nishida
+
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.

data/README.md

@@ -0,0 +1,249 @@
+# Fluent::Plugin::SplunkAPI, a plugin for [Fluentd](http://fluentd.org)
+
+Splunk output plugin for Fluent event collector.
+
+This plugin makes use of the following APIs:
+
+Splunk REST API:
+
+  http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput
+
+Splunk Storm API:
+
+  http://docs.splunk.com/Documentation/Storm/latest/User/UseStormsRESTAPI
+
+## Notes
+
+Although this plugin is capable of sending Fluent events directly to
+Splunk servers or Splunk Storm, it is not recommended to do so.
+Please use "Universal Forwarder" as a gateway, as described below.
+
+It is known that this plugin has several issues of performance and
+error handling in dealing with large data sets.  With a local/reliable
+forwarder, you can aggregate a number of events locally and send them
+to a server in bulk.
+
+In short, I'd recommend to install a forwarder in each host, and use
+this plugin to deliver events to the local forwarder:
+
+    <match **>
+      # Deliver events to the local forwarder.
+      type splunkapi
+      protocol rest
+      server 127.0.0.1:8089
+      verify false
+      auth admin:changeme
+
+      # Convert fluent tags to Splunk sources.
+      # If you set an index, "check_index false" is required.
+      host YOUR-HOSTNAME
+      index SOME-INDEX
+      check_index false
+      source {TAG}
+      sourcetype fluent
+
+      # TIMESTAMP: key1="value1" key2="value2" ...
+      time_format unixtime
+      format kvp
+
+      # Memory buffer with a short flush internal.
+      buffer_type memory
+      buffer_queue_limit 16
+      buffer_chunk_limit 8m
+      flush_interval 2s
+    </match>
+
+## Additional Notes
+
+Splunk 5 has a new feature called "Modular Inputs":
+
+http://blogs.splunk.com/2013/04/16/modular-inputs-tools/
+
+My plan is switching to Modular Inputs rather than staying with APIs.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'fluent-plugin-splunkapi'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install fluent-plugin-splunkapi
+
+## Configuration
+
+Put the following lines to your fluent.conf:
+
+    <match **>
+      type splunkapi
+
+      #
+      # Splnk Server
+      #
+
+      # protocol: API protocol version
+      # values: rest, storm
+      # default: rest
+      protocol rest
+
+      # server: Splunk server host and port
+      # default: localhost:8089
+      server localhost:8089
+
+      # verify: SSL server verification
+      # default: true
+      #verify false
+
+      # auth: username and password
+      auth admin:pass
+
+      #
+      # Splnk Storm
+      #
+
+      # protocol: API protocol version.
+      # values: rest, storm
+      # default: rest
+      #protocol storm
+
+      # access_token: for Splunk Storm
+      #access_token YOUR-ACCESS-TOKEN
+
+      # access_token: for Splunk Storm
+      #project_id YOUR-PROJECT-ID
+
+      #
+      # Event Parameters
+      #
+
+      # host: 'host' parameter passed to Splunk
+      host YOUR-HOSTNAME
+
+      # index: 'index' parameter passed to Splunk (REST only)
+      # default: <none>
+      #index main
+
+      # check_index: 'check-index' parameter passed to Splunk (REST only)
+      # default: <none>
+      #check_index false
+
+      # host: 'source' parameter passed to Splunk
+      # default: {TAG}
+      #
+      # "{TAG}" will be replaced by fluent tags at runtime
+      source {TAG}
+
+      # sourcetype: 'sourcetype' parameter passed to Splunk
+      # default: fluent
+      sourcetype fluent
+
+      #
+      # Formatting Parameters
+      #
+
+      # time_format: the time format of each event
+      # value: none, unixtime, localtime, or any time format string
+      # default: localtime
+      time_format localtime
+
+      # format: the text format of each event
+      # value: json, kvp, or text
+      # default: json
+      #
+      # input = {"x":1, "y":"xyz", "message":"Hello, world!"}
+      # 
+      # 'json' is JSON encoding:
+      #   {"x":1,"y":"xyz","message":"Hello, world!"}
+      # 
+      # 'kvp' is "key=value" pairs, which is automatically detected as fields by Splunk:
+      #   x="1" y="xyz" message="Hello, world!"
+      # 
+      # 'text' outputs the value of "message" as is, with "key=value" pairs for others:
+      #   [x="1" y="xyz"] Hello, world!
+      format json
+
+      #
+      # Buffering Parameters
+      #
+
+      # Standard parameters for buffering.  See documentation for details:
+      #   http://docs.fluentd.org/articles/buffer-plugin-overview
+      buffer_type memory
+      buffer_queue_limit 16
+
+      # buffer_chunk_limit: The maxium size of POST data in a single API call.
+      # 
+      # This value should be reasonablly small since the current implementation
+      # of out_splunkapi converts a chunk to POST data on memory before API calls.
+      # The default value should be good enough.
+      buffer_chunk_limit 8m
+
+      # flush_interval: The interval of API requests.
+      # 
+      # Make sure that this value is sufficiently large to make successive API calls.
+      # Note that a different 'source' creates a different API POST, each of which may
+      # take two or more seconds.  If you include "{TAG}" in the source parameter and
+      # this 'match' section recieves many tags, a single flush may take long time.
+      # (Run fluentd with -v to see verbose logs.)
+      flush_interval 60s
+    </match>
+
+## Example
+
+    # Input from applications
+    <source>
+      type forward
+    </source>
+
+    # Input from log files
+    <source>
+      type tail
+      path /var/log/apache2/ssl_access.log
+      tag ssl_access.log
+      format /(?<message>.*)/
+      pos_file /var/log/td-agent/ssl_access.log.pos
+    </source>
+
+    # fluent logs in text format
+    <match fluent.*>
+      type splunkapi
+      protocol rest
+      server splunk.example.com:8089
+      auth admin:pass
+      sourcetype fluentd
+      format text
+    </match>
+
+    # log files in text format without timestamp
+    <match *.log>
+      type splunkapi
+      protocol rest
+      server splunk.example.com:8089
+      auth admin:pass
+      sourcetype log
+      time_format none
+      format text
+    </match>
+
+    # application logs in kvp format
+    <match app.**>
+      type splunkapi
+      protocol rest
+      server splunk.example.com:8089
+      auth admin:pass
+      sourcetype app
+      format kvp
+    </match>
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+task :default => :test

data/fluent-plugin-splunkapi-ssln.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.name          = "fluent-plugin-splunkapi-ssln"
+  gem.version       = "0.0.1"
+  gem.authors       = ["Kristian Brimble"]
+  gem.email         = ["kbrimble@sportingsolutions,com"]
+  gem.summary       = %q{Splunk output plugin (REST API / Storm API) for Fluentd event collector}
+  gem.description   = %q{Splunk output plugin (REST API / Storm API) for Fluentd event collector}
+  gem.homepage      = "https://github.com/kbrimble/fluent-plugin-splunkapi"
+  gem.license       = 'Apache License, Version 2.0'
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.rubyforge_project = "fluent-plugin-splunkapi-ssln"
+  gem.add_development_dependency "fluentd"
+  gem.add_development_dependency "net-http-persistent"
+  gem.add_runtime_dependency "fluentd"
+  gem.add_runtime_dependency "net-http-persistent"
+end

data/lib/fluent/plugin/out_splunkapi-ssnl.rb

@@ -0,0 +1,139 @@
+=begin
+
+  Copyright (C) 2013 Keisuke Nishida
+
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+
+=end
+
+module Fluent
+
+class SplunkAPIOutput < BufferedOutput
+  Plugin.register_output('splunkapi', self)
+
+  config_param :protocol, :string, :default => 'rest'
+
+  # for Splunk REST API
+  config_param :server, :string, :default => 'localhost:8089'
+  config_param :verify, :bool, :default => true
+  config_param :auth, :string, :default => nil # TODO: required with rest
+
+  # Event parameters
+  config_param :check_index, :bool, :default => true
+  config_param :index, :string, :default => 'index'
+
+  # Retry parameters
+  config_param :post_retry_max, :integer, :default => 5
+  config_param :post_retry_interval, :integer, :default => 5
+
+  def initialize
+    super
+    require 'net/http/persistent'
+    require 'json'
+    @idx_indexers = 0
+    @indexers = []
+  end
+
+  def configure(conf)
+    super
+
+    if @server.match(/,/)
+      @indexers = @server.split(',')
+    else
+      @indexers = [@server]
+    end
+  end
+
+  def start
+    super
+    @http = Net::HTTP::Persistent.new 'fluentd-plugin-splunkapi'
+    @http.verify_mode = OpenSSL::SSL::VERIFY_NONE unless @verify
+    @http.headers['Content-Type'] = 'text/plain'
+    log.info "initialized for splunkapi"
+  end
+
+  def shutdown
+    # NOTE: call super before @http.shutdown because super may flush final output
+    super
+
+    @http.shutdown
+    log.debug "shutdown from splunkapi"
+  end
+
+  def format(tag, time, record)
+    event = "#{record.to_json}\n"
+    [tag, event].to_msgpack
+  end
+
+  def chunk_to_buffers(chunk)
+    buffers = {}
+    chunk.msgpack_each do |tag, message|
+      event = JSON.parse(message)
+      uri = get_baseurl(tag, event)
+      (buffers[uri] ||= []) << event['payload']
+    end
+    return buffers
+  end
+
+  def write(chunk)
+    chunk_to_buffers(chunk).each do |url, messages|
+      uri = URI url
+      post = Net::HTTP::Post.new uri.request_uri
+      post.basic_auth @username, @password
+      post.body = messages.join('')
+      log.debug "POST #{uri}"
+      # retry up to :post_retry_max times
+      1.upto(@post_retry_max) do |c|
+        response = @http.request uri, post
+        log.debug "=> #{response.code} (#{response.message})"
+        if response.code == "200"
+          # success
+          break
+        elsif response.code.match(/^40/)
+          # user error
+          log.error "#{uri}: #{response.code} (#{response.message})\n#{response.body}"
+          break
+        elsif c < @post_retry_max
+          # retry
+          sleep @post_retry_interval
+          next
+        else
+          # other errors. fluentd will retry processing on exception
+          # FIXME: this may duplicate logs when using multiple buffers
+          raise "#{uri}: #{response.message}"
+        end
+      end
+    end
+  end
+
+  def get_baseurl(key, event)
+    base_url = ''
+    @username, @password = @auth.split(':')
+    server = @indexers[@idx_indexers];
+    @idx_indexers = (@idx_indexers + 1) % @indexers.length
+    base_url = "https://#{server}/services/receivers/simple?sourcetype=#{key}"
+    base_url += "&host=#{event['host']}"
+    base_url += "&index=#{@index}"
+    base_url += "&source=#{event['source']}"
+    base_url += "&check-index=false" unless @check_index
+    base_url
+  end
+end
+
+# Module close
+end

data/test/helper.rb

@@ -0,0 +1,28 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'fluent/test'
+unless ENV.has_key?('VERBOSE')
+  nulllogger = Object.new
+  nulllogger.instance_eval {|obj|
+    def method_missing(method, *args)
+      # pass
+    end
+  }
+  $log = nulllogger
+end
+
+require 'fluent/plugin/out_splunkapi'
+
+class Test::Unit::TestCase
+end

data/test/plugin/test_out_splunkapi.rb

@@ -0,0 +1,36 @@
+require 'helper'
+
+class SplunkAPIOutputTest < Test::Unit::TestCase
+  def setup
+    Fluent::Test.setup
+  end
+
+  CONFIG = %[
+    protocol rest
+    server localhost:8089
+    verify false
+    auth admin:changeme
+  ]
+
+  def create_driver(conf=CONFIG, tag='test')
+    Fluent::Test::BufferedOutputTestDriver.new(Fluent::SplunkAPIOutput, tag).configure(conf)
+  end
+
+  def test_configure
+    # default
+    d = create_driver
+    assert_equal 'rest', d.instance.protocol
+    assert_equal '{TAG}', d.instance.source
+    assert_equal 'fluent', d.instance.sourcetype
+  end
+
+  def test_write
+    d = create_driver
+
+    time = Time.parse("2010-01-02 13:14:15 UTC").to_i
+    d.emit({"a"=>1}, time)
+    d.emit({"a"=>2}, time)
+
+    d.run
+  end
+end

metadata

@@ -0,0 +1,121 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-splunkapi-ssln
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Kristian Brimble
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-05-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-http-persistent
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-http-persistent
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Splunk output plugin (REST API / Storm API) for Fluentd event collector
+email:
+- kbrimble@sportingsolutions,com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- fluent-plugin-splunkapi-ssln.gemspec
+- lib/fluent/plugin/out_splunkapi-ssnl.rb
+- test/helper.rb
+- test/plugin/test_out_splunkapi.rb
+homepage: https://github.com/kbrimble/fluent-plugin-splunkapi
+licenses:
+- Apache License, Version 2.0
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: fluent-plugin-splunkapi-ssln
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Splunk output plugin (REST API / Storm API) for Fluentd event collector
+test_files:
+- test/helper.rb
+- test/plugin/test_out_splunkapi.rb