Stackstate-Splunk Integration

Connects Splunk to Stackstate in order to:

  • Report events from a splunk saved search to stackstate
  • Visualize topologies provided by splunk saved searches

Events

The StackState Agent can be configured to execute splunk saved searches and provide the results as generic events to the StackState intake api. It will dispatch the saved searches periodically, specifying specifying last event timestamp to start with up until now.

The StackState Agent expects the results of the saved searches to be according to the Events Query Format, which is described below. It requires the _time format, and has the following optional fields: event_type, msg_title, message_text and source_type_name. If there are other fields present in the result, they will be mapped to tags, where the column name is the key, and the content the value.

The Agent will filter out Splunk default fields (except _time), like e.g. _raw, see the Splunk documentation for more information about default fields.

Events Query Format

_time* long Data collection timestamp, millis since epoch
event_type string Event type, e,g, server_created
msg_title string Message title
msg_text string Message text
source_type_name string Source type name

* Required columns

Configuration

  1. Edit your conf.d/splunk_events.yaml file as follows. This configuration will perform the saved search events and expects it to return results according to the events query format.

    instances: - url: "http://localhost:8089" username: "admin" password: "admin" saved_searches: - name: "events"

  2. Restart the agent

For more details about configuring this integration refer to the following file(s) on GitHub:

Topology

The StackState Agent can execute splunk queries and convert the result to topology elements, which are then synchronized to StackState. The StackState Agent expects the saved searches to return the latest snapshot of the topology.

In order for the StackState Agent to be able to convert the results to topology elements, the output of the query has to be according to the format below. The format describes specific columns in the output that, when present, are used for the topology element. Other columns that are present in the output format, not defined in the query format, are available as key-value-pairs in StackState inside the data map. The column names are used as keys and the content as value. Splunk internal fields are filtered out by the StackState Agent)

Components Query Format

id string The unique identifier for this component.
type string The type of the component.
name string The value will be used as component name.
identifier.<identifier name> string The value will be included as identifier of the component.
label.<label name> string The value will appear as label of the component.

* This format assumes you use the default splunk mapping function and identity extractor in StackState. By customizing these you can create your own format.

Relations Query Format

type string The type of the relation.
sourceId string The id of the component that is the source of this relation.
targetId string The id of the component that is the target of this relation.

Configuration

  1. Edit your conf.d/splunk_topology.yaml file as follows. This configuration will perform the saved search components and expects it to return results according to the componets query format. It also performs the saved search named relations to obtain relations. Instead of providing the name of a saved search, a wildcard match expression can also be used to match saved searches.

    instances: - url: "http://localhost:8089" username: "admin" password: "admin" component_saved_searches: - name: "components" # Wilcard match to find event queries, can be used instead of name # match: "components_*" relation_saved_searches: - name: "relations"

  2. Restart the agent For more details about configuring this integration refer to the following file(s) on GitHub: