Stackstate provides two ways of accessing data in Splunk - Splunk Plugin and Splunk Integrations for Splunk Events, Splunk Metrics, and Splunk Topology. Below sections provide descriptions and usage for each approach.
Splunk Plugin can be found in Telemetry Sources under “Splunk sources” on the StackState Settings page. From there, it is possible to configure a data source from where StackState will be able to pull telemetry on-demand. Data pulled by Splunk Plugin is interpreted by StackState as metrics/events. Using Splunk Plugin is advised when Splunk data lake contains a lot of data which is not relevant to StackState on a regular basis - it assures pulling just the telemetry that is needed. Performance is a factor here, as pulling data on-demand is less costly than constant data collecting and processing that can be done with integrations.
API Integration StackPack provides integrations for Splunk events, metrics, and topology. Integrations are not pulling data on-demand but data is collected from saved searches for Events and Metrics, or from Splunk queries for Topology, in timed intervals by checks. Received data is stored in StackState but it is not automatically interpreted as in the plugin case - check configuration is required. It is advised to use Splunk integrations instead of a plugin when your Splunk data lake is rather small and/or you want to collect everything from Splunk.
Each integration needs to be configured as in the following pages: