Splunk topology
Build topology out of Splunk data
This page describes StackState version 4.1.
The StackState 4.1 version range is End of Life (EOL) and no longer supported. We encourage customers still running the 4.1 version range to upgrade to a more recent release.
Overview
The StackState Agent can execute Splunk queries and convert the result to topology elements, which are then synchronized to StackState. The StackState Agent expects the saved searches
to return the latest snapshot of the topology.
In order for the StackState Agent to be able to convert the results to topology elements, the output of the query has to be according to the format below. The format describes specific columns in the output that, when present, are used for the topology element. Other columns that are present in the output format, not defined in the query format, are available as key-value-pairs in StackState inside the data
map. The column names are used as keys and the content as value. Splunk internal fields are filtered out by the StackState Agent)
Components Query Format
id
string
The unique identifier for this component.
type
string
The type of the component.
name
string
The value will be used as component name.
identifier.<identifier name>
string
The value will be included as identifier of the component.
label.<label name>
string
The value will appear as label of the component.
* This format assumes you use the default Splunk mapping function and identity extractor in StackState. By customizing these you can create your own format.
Example Splunk query:
Relations Query Format
type
string
The type of the relation.
sourceId
string
The id of the component that is the source of this relation.
targetId
string
The id of the component that is the target of this relation.
Example Splunk query:
Authentication
The Splunk integration provides various authentication mechanisms to connect to your Splunk instance.
HTTP Basic Authentication
With HTTP basic authentication, the username
and password
specified in the splunk_topology.yaml
can be used to connect to Splunk. These parameters are available in basic_auth
parameter under the authentication
section. Credentials under the root of the configuration file are deprecated and credentials provided in the new basic_auth
section will override the root credentials.
As an example, see the below config :
Token-based Authentication
Token-based authentication mechanism supports Splunk authentication tokens. An initial Splunk token is provided to the integration with a short expiration date. The integration's authentication mechanism will request a new token before expiration, respecting the renewal_days
setting, with an expiration of token_expiration_days
days.
Token-based authentication information overrides basic authentication in case both are configured.
The following new parameters are available:
name
- Name of the user who will be using this token.initial_token
- First initial valid token which will be exchanged with new generated token in the integration.audience
- JWT audience name which is purpose of token.token_expiration_days
- Validity of the newly requested token after first initial token and by default it's 90 days.renewal_days
- Number of days before when token should refresh, by default it's 10 days.
As an example, see the below config :
The above authentication configuration are part of the conf.d/splunk_topology.yaml file.
Configuration
There is an attribute ignore_saved_search_errors
inside the Splunk_topology.yaml
which is set to true
by default. This flag makes the agent less strict and allows for saved searches which might be missing or fail when running. If this flag is set to false
and one of the saved searches don't exist, it will produce an error.
Edit your
conf.d/Splunk_topology.yaml
file.Restart the agent
Last updated