Comment on page
StackState Self-hosted v5.0.x
The StackState Splunk integration synchronizes events, metrics, health and topology data from Splunk to StackState. The integration uses StackState Agent V1 and StackState Agent V2:
- StackState Agent V1 periodically connects to the configured Splunk instance to execute Splunk saved searches and retrieve data:
- Topology data from the searches configured in the Splunk Topology V1 Agent check.
- Metrics data from the searches configured in the Splunk Metrics Agent check.
- Events data from the searches configured in the Splunk Events Agent check.
- StackState Agent V2 periodically connects to the configured Splunk instance to execute Splunk saved searches and retrieve data:
- Topology data from the searches configured in the Splunk Topology V2 Agent check.
- Health data from the searches configured in the Splunk Health Agent check.
- The Agents push retrieved data to StackState.
- A running Splunk instance.
- A Splunk user account with access to Splunk saved searches. The user should have the capability
searchto dispatch and read Splunk saved searches.
The Splunk StackPack provides all the necessary configuration to easily work with Splunk topology data in StackState. Install the Splunk StackPack from the StackState UI StackPacks > Integrations screen. You will need to provide the following parameters:
- Splunk instance name - A unique name to identify the Splunk instance in StackState.
- Splunk API URL - The URL where the Splunk API can be reached. For example:
After the StackPack has been installed, you should follow the instructions below to configure the required Splunk checks on StackState Agent V2 or StackState Agent V1.
A Splunk check must be configured on StackState Agent V2 or StackState Agent V1 for each type of data you want to retrieve from Splunk:
Each Splunk check configured on StackState Agent V1 must include authentication details to allow the Agent to connect to your Splunk instance and execute the configured Splunk saved searches.
Two authentication mechanisms are available:
Token-based authentication supports Splunk authentication tokens. An initial Splunk token is provided in the Splunk check configuration. This initial token is used the first time the check starts, it is then exchanged for a new token. For details on using token based authentication with Splunk, see the Splunk documentation (docs.splunk.com).
Token-based authentication is preferred over HTTP basic authentication and will override basic authentication in case both are configured.
Example check configuration with token-based authentication
- url: "https://localhost:8089"
# username: "admin" ## deprecated
# password: "admin" ## deprecated
# verify_ssl_certificate: false
To enable token-based authentication, the following parameters should be included in the section
authentcation.token_authof each StackState Agent V1 Splunk check configuration file:
- name - Name of the user who will use this token.
- initial_token - An initial, valid token. This token will be used once only and then replaced with a new generated token requested by the integration.
- audience - The Splunk token audience.
- token_expiration_days - Validity of the newly requested token. Default 90 days.
- renewal_days - Number of days before a new token should be refreshed. Default 10 days.
The first time the check runs, the configured
initial_tokenwill be exchanged for a new token. After the configured
renewal_daysdays, another new token will be requested from Splunk with a validity of
With HTTP basic authentication, the
passwordspecified in the StackState Agent V1 check configuration files are used to connect to Splunk. These parameters are specified in the section
authentication.basic_authof each StackState Agent V1 Splunk check configuration file.
Example check configuration with HTTP basic authentication
- url: "https://localhost:8089"
# username: "admin" ## deprecated - do not use
# password: "admin" ## deprecated - do not use
# verify_ssl_certificate: false
To check the status of the Splunk integration, run the status subcommand and look for
sudo stackstate-agent status
The Splunk integration can retrieve the following data:
When the Splunk Events Agent check is configured, events will be retrieved from the configured Splunk saved search or searches. Events retrieved from splunk are available in StackState as a log telemetry stream in the
stackstate-generic-eventsdata source. This can be mapped to associated components.
When the Splunk Metrics Agent check is configured, metrics will be retrieved from the configured Splunk saved search or searches. One metric can be retrieved from each saved search. Metrics retrieved from splunk are available in StackState as a metrics telemetry stream in the
stackstate-metricsdata source. This can be mapped to associated components.
When the Splunk StackPack is installed, and a Splunk topology Agent check is configured, topology will be retrieved from the configured Splunk saved searches. The check that you should configure depends on the StackState Agent that you will use to retrieve topology data. The Splunk Topology V1 check uses StackState Agent V1 to retrieve data from Splunk, while the Splunk Topology V2 check uses StackState Agent V2.
For details on how to configure the components and relations retrieved, see:
If you have an existing Splunk topology integration configured to use StackState Agent V1 and would like to upgrade to use StackState Agent V2, refer to the Splunk topology check upgrade instructions.
When the Splunk Health Agent check is configured, health check states will be retrieved from the configured Splunk saved searches. Retrieved health check states are mapped to the associated components and relations in StackState.
The StackState Splunk integration does not retrieve any trace data.
StackState Agent V1 connects to the Splunk API at the endpoints listed below. The same endpoints are used to retrieve events, metrics and topology data.
The Splunk StackPack and the Agent checks for Splunk Events, metrics and topology are open source and available on GitHub at the links below:
To uninstall the Splunk StackPack, go to the StackState UI StackPacks > Integrations > Splunk screen and click UNINSTALL. All Splunk topology specific configuration will be removed from StackState.
For instructions on how to disable the Splunk Agent checks, see:
Configure the StackState Agent Splunk checks: