...
The Splunk component provides access to Splunk using , via the Splunk provided client api, and it enables Rest API, allowing you to publish and search for events in Splunk.
Maven users will need to add the following dependency to their their pom.xml
for this component:
Code Block | ||||
---|---|---|---|---|
| ||||
<dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-splunk</artifactId> <version>${camel-version}</version> </dependency> |
URI
...
Format
Code Block |
---|
splunk://[endpoint]?[options]
|
Producer Endpoints
...
Div | |||
---|---|---|---|
| |||
|
...
|
...
|
...
|
...
|
...
|
...
|
When publishing events the message body should contain a SplunkEvent
. See later.
Example
Code Block | ||
---|---|---|
| ||
from("direct:start") .convertBodyTo(SplunkEvent.class) .to("splunk://submit?username=user&password=123&index=myindex&sourceType=someSourceType&source=mySource")...; |
In this example a converter is required to convert to a a SplunkEvent
class.
Consumer Endpoints
...
Div | ||||||
---|---|---|---|---|---|---|
| ||||||
|
...
|
...
|
Example
Code Block | ||
---|---|---|
| ||
from("splunk://normal?delay=5s&username=user&password=123&initEarliestTime=-10s&search=search index=myindex sourcetype=someSourcetype") .to("direct:search-result"); |
camel-splunk
creates a route exchange per search result with a an instance of org.apache.camel.component.splunk.event.SplunkEvent
in the body.
URI Options
Div | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||
|
...
|
...
|
...
Both
...
Splunk port
...
|
...
Both
...
|
...
|
...
|
...
|
...
Timeout in MS when connecting to Splunk server
|
...
|
...
|
...
|
...
index
...
null
...
Producer
...
Splunk index to write to
|
...
sourceType
...
null
...
Producer
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
Consumer
...
Initial start offset of the first search. Required
...
earliestTime
...
null
...
Consumer
...
Earliest time of the search time window.
...
latestTime
...
null
...
Consumer
...
Latest time of the search time window.
...
count
...
0
...
Consumer
...
A number that indicates the maximum number of entities to return. Note this is not the same as maxMessagesPerPoll which currently is unsupported
...
search
...
null
...
Consumer
...
The Splunk query to run
|
Message Body
Splunk operates on data in key/value pairs. The SplunkEvent
class is a placeholder for such data, and should be in the message body for the producer. Likewise it will be returned in the body per search result for the consumer.
From Camel 2.16.0 you can send raw data to Splunk by setting raw=true
on the producer endpoint. This is useful for e.g., json/xml
and other payloads where Splunk has build in support.
...
savedSearch
...
null
...
Consumer
...
Use Cases
Search Twitter for tweets with music and publish events to Splunk
Code Block | ||
---|---|---|
| ||
from("twitter://search?type=polling&keywords=music&delay=10&consumerKey=abc&consumerSecret=def&accessToken=hij&accessTokenSecret=xxx") .convertBodyTo(SplunkEvent.class) .to("splunk://submit?username=foo&password=bar&index=camel-tweets&sourceType=twitter&source=music-tweets"); |
To convert a Tweet to a SplunkEvent
you could use a converter like:
Code Block | ||
---|---|---|
| ||
@Converter public class Tweet2SplunkEvent { @Converter public static SplunkEvent convertTweet(Status status) { SplunkEvent data = new SplunkEvent("twitter-message", null); data.addPair("from_user", status.getUser().getScreenName()); data.addPair("in_reply_to", status.getInReplyToScreenName()); data.addPair(SplunkEvent.COMMON_START_TIME, .convertBodyTo(SplunkEvent.class) status.getCreatedAt()); data.addPair(SplunkEvent.COMMON_EVENT_ID, status.getId()); data.addPair("text", status.getText()); data.addPair("retweet_count", status.getRetweetCount()); if (status.getPlace() != null) { data.addPair("place_country", status.getPlace().getCountry()); data.addPair("place_name", status.getPlace().getName()); data.addPair("place_street", status.getPlace().getStreetAddress()); } if (status.getGeoLocation() != null) { data.addPair("geo_latitude", status.getGeoLocation().getLatitude()); data.addPair("geo_longitude", status.getGeoLocation().getLongitude()); } return data; } } |
Search Splunk for tweets:
Code Block | ||
---|---|---|
| ||
from.to("splunk://submitnormal?username=foo&password=bar&initEarliestTime=-2m&search=search index=camel-tweets&sourceType=twitter&source=music-tweets sourcetype=twitter") .log("${body}"); |
Comments
Splunk comes with a variety of options for leveraging machine generated data with prebuilt pre-built apps for analyzing and displaying this.
For example the jmx JMX app. could be used to publish jmx JMX attributes, ege.g., route and jvm JVM metrics to Splunk, and displaying this on a dashboard.
Include Page | ||||
---|---|---|---|---|
|