Connects Splunk to Stackstate in order to:
The StackState Agent can be configured to execute splunk saved searches and provide the results as generic events to the StackState intake api. It will dispatch the saved searches periodically, specifying specifying last event timestamp to start with up until now.
The StackState Agent expects the results of the saved searches to be according to the Events Query Format, which is described below. It requires the _time format, and has the following optional fields: event_type, msg_title, message_text and source_type_name. If there are other fields present in the result, they will be mapped to tags, where the column name is the key, and the content the value.
The Agent will filter out Splunk default fields (except _time), like e.g. _raw, see the Splunk documentation for more information about default fields.
|_time*||long||Data collection timestamp, millis since epoch|
|event_type||string||Event type, e,g, server_created|
|source_type_name||string||Source type name|
* Required columns
Edit your conf.d/splunk_events.yaml file as follows. This configuration will perform the saved search
events and expects it to return results according to the events query format.
- url: "http://localhost:8089"
- name: "events"
Restart the agent
For more details about configuring this integration refer to the following file(s) on GitHub:
The StackState Agent can execute splunk queries and convert the result to topology elements, which are then synchronized to StackState. The StackState Agent expects the
saved searches to return the latest snapshot of the topology.
In order for the StackState Agent to be able to convert the results to topology elements, the output of the query has to be according to the format below. The format describes specific columns in the output that, when present, are used for the topology element. Other columns that are present in the output format, not defined in the query
format, are available as key-value-pairs in StackState inside the
data map. The column names are used as keys and the content as value. Splunk internal fields are filtered out by the StackState Agent)
|id||string||The unique identifier for this component.|
|type||string||The type of the component.|
|name||string||The value will be used as component name.|
|identifier.<identifier name>||string||The value will be included as identifier of the component.|
|label.<label name>||string||The value will appear as label of the component.|
* This format assumes you use the default splunk mapping function and identity extractor in StackState. By customizing these you can create your own format.
|type||string||The type of the relation.|
|sourceId||string||The id of the component that is the source of this relation.|
|targetId||string||The id of the component that is the target of this relation.|
Edit your conf.d/splunk_topology.yaml file as follows. This configuration will perform the saved search
components and expects it to return results according to the componets query format. It also performs the saved search named
relations to obtain relations. Instead of providing the name of a saved search, a wildcard match expression can also be used to match saved searches.
- url: "http://localhost:8089"
- name: "components"
# Wilcard match to find event queries, can be used instead of name
# match: "components_*"
- name: "relations"
Restart the agent For more details about configuring this integration refer to the following file(s) on GitHub: