...
The Splunk component provides access to Splunk using , via the Splunk provided client api, and it enables Rest API, allowing you to publish and search for events in Splunk.
Maven users will need to add the following dependency to their their pom.xml
for this component:
Code Block |
---|
|
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-splunk</artifactId>
<version>${camel-version}</version>
</dependency>
|
URI
...
Format
Code Block |
---|
splunk://[endpoint]?[options]
|
Producer Endpoints
...
Div |
---|
class | confluenceTableSmall |
---|
|
Endpoint | Description |
---|
stream
| Streams data to a named index, or the default index if not specified. When using stream mode be aware of that Splunk has some internal buffer (about 1MB or so) before events gets to the index. If you need realtime, better use use submit or or tcp mode. | submit
| submit mode. Uses Splunk rest api 's Rest API to publish events to a named index, or the default if not specified. | tcp
| tcp mode. Streams data to a tcp TCP port, and requires a open receiver port in Splunk. |
|
When publishing events the message body should contain a SplunkEvent
. See comment under message bodySee later.
Example
Code Block |
---|
|
from("direct:start")
.convertBodyTo(SplunkEvent.class)
.to("splunk://submit?username=user&password=123&index=myindex&sourceType=someSourceType&source=mySource")...;
|
In this example a converter is required to convert to a a SplunkEvent
class.
Consumer Endpoints
...
Div |
---|
class | confluenceTableSmall |
---|
|
Endpoint | Description |
---|
normal
| Performs normal search and requires a search query in the search option. | savedsearch
| Performs search based on a search query saved in splunk Splunk and requires the name of the query in the the savedSearch option. |
|
Example
Code Block |
---|
|
from("splunk://normal?delay=5s&username=user&password=123&initEarliestTime=-10s&search=search index=myindex sourcetype=someSourcetype")
.to("direct:search-result");
|
camel-splunk
creates a route exchange per search result with a an instance of org.apache.camel.component.splunk.event.SplunkEvent
in the body.
URI Options
Div |
---|
class | confluenceTableSmall |
---|
|
Name | Default Value | Context | Description |
---|
hostconnectionTimeout | localhost5000 | Both
| Splunk hostserver connection timeout, in milliseconds.port | count
| 80890
| Both | Splunk port | scheme | https | Both | Scheme to use as either http or https | username | null | Both | Username for Splunk | password | null | Both | Password for Splunk | connectionTimeout | 5000 | Both | Timeout in MS when connecting to Splunk server | useSunHttpsHandler | false | Both | Use sun.net.www.protocol.https.Handler Https handler to establish the Splunk Connection. Can be useful when running in application servers to avoid app. server https handling. | Consumer
| A number that indicates the maximum number of entities to return. Warning |
---|
This is not the same as maxMessagesPerPoll option, which currently is unsupported. |
| earliestTime
| null
| Consumer
| Earliest time of the search time window. | eventHost
| null
| Producer
| Camel 2.17: Override the default Splunk event host field. | host
| localhost
| Both
| Splunk host. | sslProtocol | TLSv1.2 | Both | Camel 2.16: The SSL protocol to use. Can be any of TLSv1.2,TLSv1.1,TLSv1,SSLv3. This is only in use if scheme is https | index
| null
| Producer
| Splunk index to write to. | initEarliestTime
| null
| Consumer
| Initial start offset of the first search. Required. | latestTime sourceType
| null
| Consumer
| Latest time of the search time window. | password
| Producer | Splunk sourcetype arguement | source | null
| ProducerBoth | Splunk source arguementpassword. | tcpReceiverPortport | 08089 | ProducerBoth | Splunk tcp receiver port when using tcp producer endpoint. | raw
| false
| Producer
| Camel 2.16.0 : | Should Governs whether the body should be inserted as raw | (true/false). If true , the body will be transformed to | a string a java.lang.String before it's send to Splunk. | initEarliestTimesavedSearch | null
| Consumer
| Initial start offset The name of the first search. Required | earliestTime | null | Consumer | Earliest time of the search time window. | query saved in Splunk to run. | scheme
| https
| Both
| Scheme to use. Can be one of: http or https . | search latestTime
| null
| Consumer Latest
| time of the search time windowThe Splunk query to run. | countsource | 0null | Consumer | A number that indicates the maximum number of entities to return. Note this is not the same as maxMessagesPerPoll which currently is unsupported | Producer
| Splunk source argument. | sourceType search
| null
| ConsumerProducer | The Splunk query to run | savedSearch | null | Splunk sourcetype argument. | sslProtocol
| TLSv1.2
| Both
| Camel 2.16: The SSL protocol to use. Can be one of: Note: this option is ignored unless the scheme is: https . | Consumer | The name of the query saved in Splunk to run | streaming
| false
| Consumer
| Camel 2.14.0 : Stream exchanges as they are received from Splunk, rather than returning all of them in one batch. This has the benefit of receiving results faster, as well as requiring less memory as exchanges aren't buffered in the component. | tcpReceiverPort
| 0
| Producer
| Splunk TCP receiver port when using TCP producer endpoint. | eventHostusername
| null
| Producer | Camel 2.17: Override the default Splunk event host field |
|
...
| Both
| Splunk username. | useSunHttpsHandler
| false
| Both
| When true an instance of sun.net.www.protocol.https.Handler is used to establish the connection to Splunk. Can be useful when running in application servers to avoid application server HTTPS handling. |
|
Message Body
Splunk operates on data in key/value pairs. The The SplunkEvent
class is a placeholder for such data, and should be in the message body
for the producer. Likewise it will be returned in the body per search result for the consumer.
As of From Camel 2.16.0 you can send raw data to Splunk by setting the setting raw
option =true
on the producer endpoint. This is useful for ege.g., json/xml
and other payloads where Splunk has build in support.
...
Search Twitter for tweets with music and publish events to Splunk
Code Block |
---|
|
from("twitter://search?type=polling&keywords=music&delay=10&consumerKey=abc&consumerSecret=def&accessToken=hij&accessTokenSecret=xxx")
.convertBodyTo(SplunkEvent.class)
.to("splunk://submit?username=foo&password=bar&index=camel-tweets&sourceType=twitter&source=music-tweets");
|
To convert a Tweet to a a SplunkEvent
you could use a converter like:
Code Block |
---|
|
@Converter
public class Tweet2SplunkEvent {
@Converter
public static SplunkEvent convertTweet(Status status) {
SplunkEvent data = new SplunkEvent("twitter-message", null);
//data.addPair("source", status.getSource());
data data.addPair("from_user", status.getUser().getScreenName());
data.addPair("in_reply_to", status.getInReplyToScreenName());
data.addPair(SplunkEvent.COMMON_START_TIME, status.getCreatedAt());
data.addPair(SplunkEvent.COMMON_EVENT_ID, status.getId());
data.addPair("text", status.getText());
data.addPair("retweet_count", status.getRetweetCount());
if if (status.getPlace() != null) {
data.addPair("place_country", status.getPlace().getCountry());
data.addPair("place_name", status.getPlace().getName());
data.addPair("place_street", status.getPlace().getStreetAddress());
}
if (status.getGeoLocation() != null) {
data.addPair("geo_latitude", status.getGeoLocation().getLatitude());
data.addPair("geo_longitude", status.getGeoLocation().getLongitude());
}
return data;
}
}
|
Search Splunk for tweets:
Code Block |
---|
|
from("splunk://normal?username=foo&password=bar&initEarliestTime=-2m&search=search index=camel-tweets sourcetype=twitter")
.log("${body}");
|
...
Splunk comes with a variety of options for leveraging machine generated data with prebuilt pre-built apps for analyzing and displaying this.
For example the jmx JMX app. could be used to publish jmx JMX attributes, ege.g., route and jvm JVM metrics to Splunk, and displaying this on a dashboard.
...