Skip to main content
Skip table of contents

SplunkEventCollector

The Splunk Event Collector microservice sends application events to a Splunk deployment using HTTP or HTTPS (Secure HTTP) protocols. It generates tokens for Authentication enabling the HTTP client to send data to the SplunkEventCollector in a specific format, thereby eliminating an intermediate microservice to send application events.

Configuration and Testing

Component Configurations

The following attributes can be configured in the Component Configuration panel as shown below.


Figure 1: Component Configuration properties

Process Message Based on Property

The property helps components to skip certain messages from processing.

Refer the Process Message Based On a Property section under the Common Configurations topic.

Validate Input

If this attribute is enabled, the service tries to validate the input received. If disabled, service will not validate the input. For more details, refer Validate Input section under Interaction Configurations in Common Configurations page.

Performance increases Validate Input option is disabled, but it may cause undesired results in case the input XML is not valid.

Error handling configuration

The remedial actions to be taken when a particular error occurs can be configured using this attribute. 

Click the ellipsis button against this property to configure Error Handling properties for different types of Errors. By default, the options Log to error logs, Stop service and Send to error port are enabled.

Refer the Error Handling section in Common Configurations for detailed information.

Connection Configuration


Figure 2: Connection Configuration

Host name

The name or address of the machine on which Splunk server runs.

Port

The port on which the above server runs.

Event Configuration

Click the Event Configuration ellipsis button to provide Event Configuration values.


Figure 3: Event Configuration

Add Metadata

This returns a list of source, source types, or hosts from a specified index or distributed search peer.

Enable this option to configure the following properties that appear.

Index

This identifies the index in which the event is located.

Source

The source of an event is the name of the file, stream, or other input from which the event originates.

Source Type

The source type of an event is the format of the data input from which it originates. The source type determines how your data is to be formatted.

Host

An event host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated.

HTTP Authorization Token

The Event Collector Token.

Creating an HTTP Token
Prerequisite

Install the Splunk Enterprise server and login into the Splunk Dashboard with the URL in the format below:

CODE 
<IP address of the machine on which the Splunk server is running>:port
Steps

Perform the steps below to generate the 'HTTP Authorization Token':

  1. Go to Settings > Data > Data inputs.
  2. Click HTTP Event Collector and then click New Token.

  3. In the Name field, enter a unique name for the token.

    Optional Steps

    • In the Source name override field, enter a source name for those events that this input generates.
    • In the Description field, enter a description for the input.
    • In the Output Group field, select an existing forwarder output group.
    • To enable indexer acknowledgment for this token, click the Enable indexer acknowledgment checkbox.

  4. Click Next.

    Optional Step

    Confirm the source type and the index for HEC events.

  5. Click Review.

  6. Click Submit after confirming that the settings for the endpoint are as per the specific requirement. Else, click the

     button to make changes.

    Splunk Web Page displays the token value. Keep a copy of this value for later reference.

    Refer to the following link for more information:
    http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/UsetheHTTPEventCollector


Channel Identifier

To send all events received by the component as raw events.

Batch Events

Send request in batched events.

Batch Size

Number of events in a batch.

SSL Configurations

Click the SSL Configurations ellipsis button to launch the editor to set SSL configurations.

Refer the SSL Security section for more information.

Threadpool Configuration

This property is used when there is a need to process messages in parallel within the component, still maintaining the sequence from the external perspective. 

  • Limit the usage of the Threadpool Configuration property only in circumstances as mentioned above.
  • If sequential processing is not required, please use sessions on the input port.

Click the Threadpool Configuration ellipsis button to configure the Threadpool Configuration properties.


Figure 4: Threadpool Configuration

Enable Thread Pool

Enable this option to configure the properties that appear as below.

Pool Size

Number of requests to be processed in parallel within the component. Default value is '1'.

Batch Eviction Interval (in ms)

Time in milliseconds after which the threads are evicted in case of inactivity. New threads are created in place of evicted threads when new requests are received. Default value is '1000'.

Functional Demonstration

Sending the application event to the SplunkEventCollector microservice. Configure SplunkEventCollector as described in Configuration and testing section above and use the Feeder microservice and Display microservice to send a sample input and check the response respectively.


Figure 5: Demonstrating a scenario with sample input and output

Input Message


Figure 6: Input message sent using feeder for S3Upload

Output Message


Figure 7: Output demonstrating the success



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close