Stackstate-Splunk Event Integration

Connects Splunk to Stackstate in order to:

Overview

  • Report events from a splunk saved search to StackState

The StackState Agent can be configured to execute splunk saved searches and provide the results as generic events to the StackState intake api. It will dispatch the saved searches periodically, specifying specifying last event timestamp to start with up until now.

The StackState Agent expects the results of the saved searches to be according to the Events Query Format, which is described below. It requires the _time format, and has the following optional fields: event_type, msg_title, message_text and source_type_name. If there are other fields present in the result, they will be mapped to tags, where the column name is the key, and the content the value. The Agent will filter out Splunk default fields (except _time), like e.g. _raw, see the Splunk documentation for more information about default fields.

The agent check prevents sending duplicate events over multiple check runs. The received saved search records have to be uniquely identified for comparison. By default, a record’s identity is composed of Splunk’s default fields _bkt and _cd. The default behavior can be changed for each saved search by setting the unique_key_fields in the check’s configuration. Please note that the specified unique_key_fields fields become mandatory for each record. In case the records can not be uniquely identified by a combination of fields then the whole record can be used by setting unique_key_fields to [], i.e. empty list.

Events Query Format

_time*longData collection timestamp, millis since epoch
event_typestringEvent type, e,g, server_created
msg_titlestringMessage title
msg_textstringMessage text
source_type_namestringSource type name

* Required columns

Configuration

  1. Edit your conf.d/splunk_events.yaml file.
  2. Restart the agent