Connects Splunk to Stackstate in order to:
The StackState Agent can be configured to execute splunk saved searches and provide the results as generic events to the StackState intake api. It will dispatch the saved searches periodically, specifying specifying last event timestamp to start with up until now.
The StackState Agent expects the results of the saved searches to be according to the Events Query Format, which is described below. It requires the _time format, and has the following optional fields: event_type, msg_title, message_text and source_type_name. If there are other fields present in the result, they will be mapped to tags, where the column name is the key, and the content the value. The Agent will filter out Splunk default fields (except _time), like e.g. _raw, see the Splunk documentation for more information about default fields.
The agent check prevents sending duplicate events over multiple check runs. The received saved search records have to be uniquely identified for comparison. By default, a record’s identity is composed of Splunk’s default fields
_cd. The default behavior can be changed for each saved search by setting the
unique_key_fields in the check’s configuration. Please note that the specified
unique_key_fields fields become mandatory for each record. In case the records can not be uniquely identified by a combination of fields then the whole record can be used by setting
, i.e. empty list.
|_time*||long||Data collection timestamp, millis since epoch|
|event_type||string||Event type, e,g, server_created|
|source_type_name||string||Source type name|
* Required columns
Example Splunk query:
index=monitor alias_hostname=* | eval status = upper(status) | search status=CRITICAL OR status=error OR status=warning OR status=OK | table _time hostname status description