fluent-plugin-splunkapi 0.1.0

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in fluent-plugin-splunk.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,18 @@
+Copyright (C) 2013 Keisuke Nishida
+
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.

data/README.md

@@ -0,0 +1,192 @@
+# Fluent::Plugin::SplunkAPI
+
+Splunk output plugin for Fluent event collector.
+
+This plugin makes use of the following APIs:
+
+Splunk REST API:
+
+  http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput
+
+Splunk Storm API:
+
+  http://docs.splunk.com/Documentation/Storm/latest/User/UseStormsRESTAPI
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'fluent-plugin-splunkapi'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install fluent-plugin-splunkapi
+
+## Configuration
+
+Put the following lines to your fluent.conf:
+
+    <match **>
+      type splunkapi
+
+      #
+      # Splnk Server
+      #
+
+      # protocol: API protocol version
+      # values: rest, storm
+      # default: rest
+      protocol rest
+
+      # server: Splunk server host and port
+      # default: localhost:8089
+      server localhost:8089
+
+      # verify: SSL server verification
+      # default: true
+      #verify false
+
+      # auth: username and password
+      auth admin:pass
+
+      #
+      # Splnk Storm
+      #
+
+      # protocol: API protocol version.
+      # values: rest, storm
+      # default: rest
+      #protocol storm
+
+      # access_token: for Splunk Storm
+      #access_token YOUR-ACCESS-TOKEN
+
+      # access_token: for Splunk Storm
+      #project_id YOUR-PROJECT-ID
+
+      #
+      # Event Parameters
+      #
+
+      # host: 'host' parameter passed to Splunk
+      host YOUR-HOSTNAME
+
+      # host: 'source' parameter passed to Splunk
+      # default: {TAG}
+      #
+      # "{TAG}" will be replaced by fluent tags at runtime
+      source {TAG}
+
+      # sourcetype: 'sourcetype' parameter passed to Splunk
+      # default: fluent
+      sourcetype fluent
+
+      #
+      # Formatting Parameters
+      #
+
+      # time_format: the time format of each event
+      # value: none, unixtime, or any time format string
+      # default: %Y-%M-%d %H:%M:%S
+      #time_format %Y-%M-%d %H:%M:%S
+
+      # format: the text format of each event
+      # value: json, kvp, or text
+      # default: json
+      #
+      # input = {"x":1, "y":"xyz", "message":"Hello, world!"}
+      # 
+      # 'json' is JSON encoding:
+      #   {"x":1,"y":"xyz","message":"Hello, world!"}
+      # 
+      # 'kvp' is "key=value" pairs, which is automatically detected as fields by Splunk:
+      #   x="1" y="xyz" message="Hello, world!"
+      # 
+      # 'text' outputs the value of "message" as is, with "key=value" pairs for others:
+      #   [x="1" y="xyz"] Hello, world!
+      format json
+
+      #
+      # Buffering Parameters
+      #
+
+      # Standard parameters for buffering.  See documentation for details:
+      #   http://docs.fluentd.org/articles/buffer-plugin-overview
+      buffer_type memory
+      buffer_queue_limit 16
+
+      # buffer_chunk_limit: The maxium size of POST data in a single API call.
+      # 
+      # This value should be reasonablly small since the current implementation
+      # of out_splunkapi converts a chunk to POST data on memory before API calls.
+      # The default value should be good enough.
+      buffer_chunk_limit 8m
+
+      # flush_interval: The interval of API requests.
+      # 
+      # Make sure that this value is large enough to make successive API calls.
+      # Note that a different source produces a different API POST, each of which
+      # costs two or more seconds.  If you include "{TAG}" in the source parameter and
+      # this 'match' section recieves many tags, a single flush may take long time.
+      # (Run fluentd with -v to see verbose logs.)
+      flush_interval 60s
+    </match>
+
+## Example
+
+    # Input from applications
+    <source>
+      type forward
+    </source>
+
+    # Input from log files
+    <source>
+      type tail
+      path /var/log/apache2/ssl_access.log
+      tag ssl_access.log
+      format /(?<message>.*)/
+      pos_file /var/log/td-agent/ssl_access.log.pos
+    </source>
+
+    # fluent logs in text format
+    <match fluent.*>
+      type splunkapi
+      protocol rest
+      server splunk.example.com:8089
+      auth admin:pass
+      sourcetype fluentd
+      format text
+    </match>
+
+    # log files in text format without timestamp
+    <match *.log>
+      type splunkapi
+      protocol rest
+      server splunk.example.com:8089
+      auth admin:pass
+      sourcetype log
+      time_format none
+      format text
+    </match>
+
+    # application logs in kvp format
+    <match app.**>
+      type splunkapi
+      protocol rest
+      server splunk.example.com:8089
+      auth admin:pass
+      sourcetype app
+      format kvp
+    </match>
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+task :default => :test

data/fluent-plugin-splunkapi.gemspec

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.name          = "fluent-plugin-splunkapi"
+  gem.version       = "0.1.0"
+  gem.authors       = ["Keisuke Nishida"]
+  gem.email         = ["knishida@bizmobile.co.jp"]
+  gem.description   = %q{Splunk output plugin for Fluent event collector}
+  gem.summary       = %q{Splunk output plugin for Fluent event collector}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.rubyforge_project = "fluent-plugin-splunkapi"
+  gem.add_development_dependency "fluentd"
+  gem.add_development_dependency "net-http-persistent"
+  gem.add_runtime_dependency "fluentd"
+  gem.add_runtime_dependency "net-http-persistent"
+end

data/lib/fluent/plugin/out_splunkapi.rb

@@ -0,0 +1,162 @@
+=begin
+
+  Copyright (C) 2013 Keisuke Nishida
+
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+
+=end
+
+module Fluent
+
+class SplunkAPIOutput < BufferedOutput
+  Plugin.register_output('splunkapi', self)
+
+  config_param :protocol, :string, :default => 'rest'
+
+  # for Splunk REST API
+  config_param :server, :string, :default => 'localhost:8089'
+  config_param :verify, :bool, :default => true
+  config_param :auth, :string, :default => nil # TODO: required with rest
+
+  # for Splunk Storm API
+  config_param :access_token, :string, :default => nil # TODO: required with storm
+  config_param :api_hostname, :string, :default => 'api.splunkstorm.com'
+  config_param :project_id, :string, :default => nil # TODO: required with storm
+
+  # Event parameters
+  config_param :host, :string, :default => nil # TODO: auto-detect
+  config_param :source, :string, :default => '{TAG}'
+  config_param :sourcetype, :string, :default => 'fluent'
+
+  # Formatting
+  config_param :time_format, :string, :default => "%Y-%M-%d %H:%M:%S"
+  config_param :format, :string, :default => 'json'
+
+  def initialize
+    super
+    require 'net/http/persistent'
+    require 'time'
+  end
+
+  def configure(conf)
+    super
+
+    case @source
+    when '{TAG}'
+      @source_formatter = lambda { |tag| tag }
+    else
+      @source_formatter = lambda { |tag| @source.sub('{TAG}', tag) }
+    end
+
+    case @time_format
+    when 'none'
+      @time_formatter = nil
+    when 'unixtime'
+      @time_formatter = lambda { |time| time.to_s }
+    else
+      @timef = TimeFormatter.new(@time_format, @localtime)
+      @time_formatter = lambda { |time| @timef.format(time) }
+    end
+
+    case @format
+    when 'json'
+      @formatter = lambda { |record|
+        record.to_json
+      }
+    when 'kvp'
+      @formatter = lambda { |record|
+        record_to_kvp(record)
+      }
+    when 'text'
+      @formatter = lambda { |record|
+        message = record['message']
+        record.delete('message')
+        if record.length == 0
+          message
+        else
+          "[#{record_to_kvp(record)}] #{message}"
+        end
+      }
+    end
+
+    if @protocol == 'rest'
+      @username, @password = @auth.split(':')
+      @base_url = "https://#{@server}/services/receivers/simple?sourcetype=#{@sourcetype}"
+      @base_url += "&host=#{@host}" if @host
+    elsif @protocol == 'storm'
+      @username, @password = 'x', @access_token
+      @base_url = "https://#{@api_hostname}/1/inputs/http?index=#{@project_id}&sourcetype=#{@sourcetype}"
+      @base_url += "&host=#{@host}" if @host
+    end
+  end
+
+  def record_to_kvp(record)
+    record.map {|k,v| v == nil ? "#{k}=" : "#{k}=\"#{v}\""}.join(' ')
+  end
+
+  def start
+    super
+    @http = Net::HTTP::Persistent.new 'fluentd-plugin-splunkapi'
+    @http.verify_mode = OpenSSL::SSL::VERIFY_NONE unless @verify
+    @http.headers['Content-Type'] = 'text/plain'
+    $log.debug "initialized for #{@base_url}"
+  end
+
+  def shutdown
+    # NOTE: call super before @http.shutdown because super may flush final output
+    super
+
+    @http.shutdown
+    $log.debug "shutdown from #{@base_url}"
+  end
+
+  def format(tag, time, record)
+    if @time_formatter
+      time_str = "#{@time_formatter.call(time)}: "
+    else
+      time_str = ''
+    end
+
+    record.delete('time')
+    event = time_str + @formatter.call(record) + "\n"
+
+    [tag, event].to_msgpack
+  end
+
+  def chunk_to_buffers(chunk)
+    buffers = {}
+    chunk.msgpack_each do |tag, event|
+      (buffers[@source_formatter.call(tag)] ||= []) << event
+    end
+    return buffers
+  end
+
+  def write(chunk)
+    chunk_to_buffers(chunk).each do |source, messages|
+      uri = URI @base_url + "&source=#{source}"
+      post = Net::HTTP::Post.new uri.request_uri
+      post.basic_auth @username, @password
+      post.body = messages.join('')
+      $log.debug "POST #{uri}"
+      response = @http.request uri, post
+      $log.error response.message if response.code != "200"
+    end
+  end
+end
+
+end

data/test/helper.rb

@@ -0,0 +1,28 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'fluent/test'
+unless ENV.has_key?('VERBOSE')
+  nulllogger = Object.new
+  nulllogger.instance_eval {|obj|
+    def method_missing(method, *args)
+      # pass
+    end
+  }
+  $log = nulllogger
+end
+
+require 'fluent/plugin/out_splunkapi'
+
+class Test::Unit::TestCase
+end

data/test/plugin/test_out_splunkapi.rb

@@ -0,0 +1,36 @@
+require 'helper'
+
+class SplunkAPIOutputTest < Test::Unit::TestCase
+  def setup
+    Fluent::Test.setup
+  end
+
+  CONFIG = %[
+    protocol rest
+    server localhost:8089
+    verify false
+    auth admin:changeme
+  ]
+
+  def create_driver(conf=CONFIG, tag='test')
+    Fluent::Test::BufferedOutputTestDriver.new(Fluent::SplunkAPIOutput, tag).configure(conf)
+  end
+
+  def test_configure
+    # default
+    d = create_driver
+    assert_equal 'rest', d.instance.protocol
+    assert_equal '{TAG}', d.instance.source
+    assert_equal 'fluent', d.instance.sourcetype
+  end
+
+  def test_write
+    d = create_driver
+
+    time = Time.parse("2010-01-02 13:14:15 UTC").to_i
+    d.emit({"a"=>1}, time)
+    d.emit({"a"=>2}, time)
+
+    d.run
+  end
+end

metadata

@@ -0,0 +1,120 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-splunkapi
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Keisuke Nishida
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-01-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-http-persistent
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-http-persistent
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Splunk output plugin for Fluent event collector
+email:
+- knishida@bizmobile.co.jp
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- fluent-plugin-splunkapi.gemspec
+- lib/fluent/plugin/out_splunkapi.rb
+- test/helper.rb
+- test/plugin/test_out_splunkapi.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: fluent-plugin-splunkapi
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Splunk output plugin for Fluent event collector
+test_files:
+- test/helper.rb
+- test/plugin/test_out_splunkapi.rb