Stackstate-Splunk Topology Integration

Connects Splunk to Stackstate in order to:

Overview

  • Visualize topologies provided by splunk saved searches

The StackState Agent can execute splunk queries and convert the result to topology elements, which are then synchronized to StackState. The StackState Agent expects the saved searches to return the latest snapshot of the topology.

In order for the StackState Agent to be able to convert the results to topology elements, the output of the query has to be according to the format below. The format describes specific columns in the output that, when present, are used for the topology element. Other columns that are present in the output format, not defined in the query format, are available as key-value-pairs in StackState inside the data map. The column names are used as keys and the content as value. Splunk internal fields are filtered out by the StackState Agent)

Components Query Format

idstringThe unique identifier for this component.
typestringThe type of the component.
namestringThe value will be used as component name.
identifier.<identifier name>stringThe value will be included as identifier of the component.
label.<label name>stringThe value will appear as label of the component.

* This format assumes you use the default splunk mapping function and identity extractor in StackState. By customizing these you can create your own format.

Relations Query Format

typestringThe type of the relation.
sourceIdstringThe id of the component that is the source of this relation.
targetIdstringThe id of the component that is the target of this relation.

Configuration

  1. Edit your conf.d/splunk_topology.yaml file.
  2. Restart the agent