Overview

The StackState Splunk integration synchronizes events, metrics, health and topology data from Splunk to StackState. The integration uses StackState Agent V1 and StackState Agent V2:

• StackState Agent V1 is used to collect Splunk events and metrics data. It can also be used to collect topology data when the Splunk Topology V1 integration is configured.

• StackState Agent V2 is used to collect health data. It can also be used to collect topology data when the Splunk Topology V2 integration is configured.

Splunk is a StackState core integration.

• StackState Agent V1 periodically connects to the configured Splunk instance to execute Splunk saved searches and retrieve data:

  • Topology data from the searches configured in the Splunk Topology V1 Agent check.

  • Metrics data from the searches configured in the Splunk Metrics Agent check.

  • Events data from the searches configured in the Splunk Events Agent check.

• StackState Agent V2 periodically connects to the configured Splunk instance to execute Splunk saved searches and retrieve data:

  • Topology data from the searches configured in the Splunk Topology V2 Agent check.

  • Health data from the searches configured in the Splunk Health Agent check.

• The Agents push retrieved data to StackState.

• StackState translates incoming data:

  • Topology data is translated into components and relations.

  • Metrics data is available in StackState as a metrics telemetry stream.

  • Events is available in StackState as a log telemetry stream.

  • Health information is added to associated components and relations.

Setup

Prerequisites

• A running Splunk instance.

• A Splunk user account with access to Splunk saved searches. The user should have the capability search to dispatch and read Splunk saved searches.

• A compatible StackState Agent installed on a machine that can connect to both Splunk and StackState:

  • Metrics and events data: StackState Agent V1

  • Health data: StackState Agent V2

  • Topology data: StackState Agent V2 or StackState Agent V1

Install

The Splunk StackPack provides all the necessary configuration to easily work with Splunk topology data in StackState. Install the Splunk StackPack from the StackState UI StackPacks > Integrations screen. You will need to provide the following parameters:

• Splunk instance name - A unique name to identify the Splunk instance in StackState.

• Splunk API URL - The URL where the Splunk API can be reached. For example: http://splunk.network.local:8089.

After the StackPack has been installed, you should follow the instructions below to configure the required Splunk checks on StackState Agent V2 or StackState Agent V1.

Configure

A Splunk check must be configured on StackState Agent V2 or StackState Agent V1 for each type of data you want to retrieve from Splunk:

• StackState Agent V2 (recommended):

  • Splunk Health check - to retrieve health data from Splunk

  • Splunk Topology V2 check - to retrieve topology data from Splunk

• StackState Agent V1:

  • Splunk Events check - to retrieve events data from Splunk

  • Splunk Metrics check - to retrieve metrics data from Splunk

  • Splunk Topology V1 check - to retrieve topology data from Splunk

Authentication

Each Splunk check configured on StackState Agent V1 must include authentication details to allow the Agent to connect to your Splunk instance and execute the configured Splunk saved searches.

Two authentication mechanisms are available:

• Token-based authentication (recommended)

• HTTP basic authentication

Token-based Authentication

Token-based authentication supports Splunk authentication tokens. An initial Splunk token is provided in the Splunk check configuration. This initial token is used the first time the check starts, it is then exchanged for a new token. For details on using token based authentication with Splunk, see the Splunk documentation (docs.splunk.com).

Token-based authentication is preferred over HTTP basic authentication and will override basic authentication in case both are configured.

instances:
    - url: "https://localhost:8089"

    # username: "admin" ## deprecated
    # password: "admin" ## deprecated

    # verify_ssl_certificate: false

    authentication:
      token_auth:
        name: "api-user"
        initial_token: "my-initial-token-hash"
        audience: "search"
        token_expiration_days: 90
        renewal_days: 10

To enable token-based authentication, the following parameters should be included in the section authentcation.token_auth of each StackState Agent V1 Splunk check configuration file:

• name - Name of the user who will use this token.

• initial_token - An initial, valid token. This token will be used once only and then replaced with a new generated token requested by the integration.

• audience - The Splunk token audience.

• token_expiration_days - Validity of the newly requested token. Default 90 days.

• renewal_days - Number of days before a new token should be refreshed. Default 10 days.

The first time the check runs, the configured initial_token will be exchanged for a new token. After the configured renewal_days days, another new token will be requested from Splunk with a validity of token_expiration_days.

HTTP basic authentication

With HTTP basic authentication, the username and password specified in the StackState Agent V1 check configuration files are used to connect to Splunk. These parameters are specified in the section authentication.basic_auth of each StackState Agent V1 Splunk check configuration file.

instances:
    - url: "https://localhost:8089"

    # username: "admin" ## deprecated - do not use
    # password: "admin" ## deprecated - do not use

    # verify_ssl_certificate: false

    authentication:
      basic_auth:
        username: "admin"
        password: "admin"

Status

To check the status of the Splunk integration, run the status subcommand and look for splunk_topology, splunk_metrics and/or splunk_events under Running Checks:

sudo stackstate-agent status

Integration details

Data retrieved

The Splunk integration can retrieve the following data:

• Events

• Metrics

• Topology

• Health

Events

When the Splunk Events Agent check is configured, events will be retrieved from the configured Splunk saved search or searches. Events retrieved from splunk are available in StackState as a log telemetry stream in the stackstate-generic-events data source. This can be mapped to associated components.

For details on how to configure the events retrieved, see the Splunk Events check configuration.

Metrics

When the Splunk Metrics Agent check is configured, metrics will be retrieved from the configured Splunk saved search or searches. One metric can be retrieved from each saved search. Metrics retrieved from splunk are available in StackState as a metrics telemetry stream in the stackstate-metrics data source. This can be mapped to associated components.

For details on how to configure the metrics retrieved, see the Splunk Metrics check configuration.

Topology

When the Splunk StackPack is installed, and a Splunk topology Agent check is configured, topology will be retrieved from the configured Splunk saved searches. The check that you should configure depends on the StackState Agent that you will use to retrieve topology data. The Splunk Topology V1 check uses StackState Agent V1 to retrieve data from Splunk, while the Splunk Topology V2 check uses StackState Agent V2.

For details on how to configure the components and relations retrieved, see:

• Splunk Topology V1 check configuration (StackState Agent V1).

• Splunk Topology V2 check configuration (StackState Agent V2).

If you have an existing Splunk topology integration configured to use StackState Agent V1 and would like to upgrade to use StackState Agent V2, refer to the Splunk topology check upgrade instructions.

Health

When the Splunk Health Agent check is configured, health check states will be retrieved from the configured Splunk saved searches. Retrieved health check states are mapped to the associated components and relations in StackState.

For details on how to configure the health retrieved, see the Splunk Health check configuration.

Traces

The StackState Splunk integration does not retrieve any trace data.

REST API endpoints

StackState Agent V1 connects to the Splunk API at the endpoints listed below. The same endpoints are used to retrieve events, metrics and topology data.

For further details, see the Splunk API documentation (docs.splunk.com).

Open source

The Splunk StackPack and the Agent checks for Splunk Events, metrics and topology are open source and available on GitHub at the links below:

• Splunk StackPack (github.com)

• Splunk Topology V1 check (github.com)

• Splunk Topology V2 check (github.com)

• Splunk Metrics check (github.com)

• Splunk Events check (github.com)

• Splunk Health check (github.com)

Troubleshooting

Troubleshooting steps for any known issues can be found in the StackState support Knowledge base.

Uninstall

To uninstall the Splunk StackPack, go to the StackState UI StackPacks > Integrations > Splunk screen and click UNINSTALL. All Splunk topology specific configuration will be removed from StackState.

For instructions on how to disable the Splunk Agent checks, see:

• Disable the Splunk Topology V2 Agent check

• Disable the Splunk Topology V1 Agent check

• Disable the Splunk Metrics Agent check

• Disable the Splunk Events Agent check

• Disable the Splunk Health Agent check

Release notes

The Splunk StackPack release notes are available on GitHub.

See also

Configure the StackState Agent Splunk checks:

• StackState Agent V2 (recommended):

  • Splunk Health check - to retrieve health data from Splunk

  • Splunk Topology V2 check - to retrieve topology data from Splunk

• StackState Agent V1:

  • Splunk Events check - to retrieve events data from Splunk

  • Splunk Metrics check - to retrieve metrics data from Splunk

  • Splunk Topology V1 check - to retrieve topology data from Splunk

Other resources:

• Set up Splunk authentication with tokens (docs.splunk.com).

• Splunk API documentation (docs.splunk.com)