Fluent::Plugin::SplunkAPI, a plugin for Fluentd
Splunk output plugin for Fluent event collector.
This plugin makes use of the following APIs:
Splunk REST API:
http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput
Splunk Storm API:
http://docs.splunk.com/Documentation/Storm/latest/User/UseStormsRESTAPI
Notes
Although this plugin is capable of sending Fluent events directly to Splunk servers or Splunk Storm, it is not recommended to do so. Please use "Universal Forwarder" as a gateway, as described below.
It is known that this plugin has several issues of performance and error handling in dealing with large data sets. With a local/reliable forwarder, you can aggregate a number of events locally and send them to a server in bulk.
In short, I'd recommend to install a forwarder in each host, and use this plugin to deliver events to the local forwarder:
<match **>
# Deliver events to the local forwarder.
type splunkapi
protocol rest
server 127.0.0.1:8089
verify false
auth admin:changeme
# Convert fluent tags to Splunk sources.
# If you set an index, "check_index false" is required.
host YOUR-HOSTNAME
index SOME-INDEX
check_index false
source {TAG}
sourcetype fluent
# TIMESTAMP: key1="value1" key2="value2" ...
time_format unixtime
format kvp
# Memory buffer with a short flush internal.
buffer_type memory
buffer_queue_limit 16
buffer_chunk_limit 8m
flush_interval 2s
</match>
Additional Notes
Splunk 5 has a new feature called "Modular Inputs":
http://blogs.splunk.com/2013/04/16/modular-inputs-tools/
My plan is switching to Modular Inputs rather than staying with APIs.
Installation
Add this line to your application's Gemfile:
gem 'fluent-plugin-splunkapi'
And then execute:
$ bundle
Or install it yourself as:
$ gem install fluent-plugin-splunkapi
Configuration
Put the following lines to your fluent.conf:
<match **>
type splunkapi
#
# Splnk Server
#
# protocol: API protocol version
# values: rest, storm
# default: rest
protocol rest
# server: Splunk server host and port
# default: localhost:8089
server localhost:8089
# verify: SSL server verification
# default: true
#verify false
# auth: username and password
auth admin:pass
#
# Splnk Storm
#
# protocol: API protocol version.
# values: rest, storm
# default: rest
#protocol storm
# access_token: for Splunk Storm
#access_token YOUR-ACCESS-TOKEN
# access_token: for Splunk Storm
#project_id YOUR-PROJECT-ID
#
# Event Parameters
#
# host: 'host' parameter passed to Splunk
host YOUR-HOSTNAME
# index: 'index' parameter passed to Splunk (REST only)
# default: <none>
#index main
# check_index: 'check-index' parameter passed to Splunk (REST only)
# default: <none>
#check_index false
# host: 'source' parameter passed to Splunk
# default: {TAG}
#
# "{TAG}" will be replaced by fluent tags at runtime
source {TAG}
# sourcetype: 'sourcetype' parameter passed to Splunk
# default: fluent
sourcetype fluent
#
# Formatting Parameters
#
# time_format: the time format of each event
# value: none, unixtime, localtime, or any time format string
# default: localtime
time_format localtime
# format: the text format of each event
# value: json, kvp, or text
# default: json
#
# input = {"x":1, "y":"xyz", "message":"Hello, world!"}
#
# 'json' is JSON encoding:
# {"x":1,"y":"xyz","message":"Hello, world!"}
#
# 'kvp' is "key=value" pairs, which is automatically detected as fields by Splunk:
# x="1" y="xyz" message="Hello, world!"
#
# 'text' outputs the value of "message" as is, with "key=value" pairs for others:
# [x="1" y="xyz"] Hello, world!
format json
#
# Buffering Parameters
#
# Standard parameters for buffering. See documentation for details:
# http://docs.fluentd.org/articles/buffer-plugin-overview
buffer_type memory
buffer_queue_limit 16
# buffer_chunk_limit: The maxium size of POST data in a single API call.
#
# This value should be reasonablly small since the current implementation
# of out_splunkapi converts a chunk to POST data on memory before API calls.
# The default value should be good enough.
buffer_chunk_limit 8m
# flush_interval: The interval of API requests.
#
# Make sure that this value is sufficiently large to make successive API calls.
# Note that a different 'source' creates a different API POST, each of which may
# take two or more seconds. If you include "{TAG}" in the source parameter and
# this 'match' section recieves many tags, a single flush may take long time.
# (Run fluentd with -v to see verbose logs.)
flush_interval 60s
</match>
Example
# Input from applications
<source>
type forward
</source>
# Input from log files
<source>
type tail
path /var/log/apache2/ssl_access.log
tag ssl_access.log
format /(?<message>.*)/
pos_file /var/log/td-agent/ssl_access.log.pos
</source>
# fluent logs in text format
<match fluent.*>
type splunkapi
protocol rest
server splunk.example.com:8089
auth admin:pass
sourcetype fluentd
format text
</match>
# log files in text format without timestamp
<match *.log>
type splunkapi
protocol rest
server splunk.example.com:8089
auth admin:pass
sourcetype log
time_format none
format text
</match>
# application logs in kvp format
<match app.**>
type splunkapi
protocol rest
server splunk.example.com:8089
auth admin:pass
sourcetype app
format kvp
</match>
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request