Red Hat SummitFuse 6 is no longer supported
As of February 2025, Red Hat Fuse 6 is no longer supported. If you are using Fuse 6, please upgrade to Red Hat build of Apache Camel.이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 140. Splunk
Splunk Component
링크 복사링크가 클립보드에 복사되었습니다!
Available as of Camel 2.13
The Splunk component provides access to Splunk using the Splunk provided client api, and it enables you to publish and search for events in Splunk.
Maven users will need to add the following dependency to their pom.xml for this component:
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-splunk</artifactId>
<version>${camel-version}</version>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-splunk</artifactId>
<version>${camel-version}</version>
</dependency>URI format
링크 복사링크가 클립보드에 복사되었습니다!
splunk://[endpoint]?[options]
splunk://[endpoint]?[options]Producer Endpoints:
링크 복사링크가 클립보드에 복사되었습니다!
|
Endpoint
|
Description
|
|---|---|
|
stream
|
Streams data to a named index or the default if not specified. When using stream mode be aware of that Splunk has some internal buffer (about 1MB or so) before events gets to the index. If you need realtime, better use submit or tcp mode.
|
|
submit
|
submit mode. Uses Splunk rest api to publish events to a named index or the default if not specified.
|
|
tcp
|
tcp mode. Streams data to a tcp port, and requires a open receiver port in Splunk.
|
When publishing events the message body should contain a SplunkEvent.
Example
from("direct:start").convertBodyTo(SplunkEvent.class)
.to("splunk://submit?username=user&password=123&index=myindex&sourceType=someSourceType&source=mySource")...
from("direct:start").convertBodyTo(SplunkEvent.class)
.to("splunk://submit?username=user&password=123&index=myindex&sourceType=someSourceType&source=mySource")...
In this example a converter is required to convert to a SplunkEvent class.
Consumer Endpoints:
링크 복사링크가 클립보드에 복사되었습니다!
|
Endpoint
|
Description
|
|---|---|
|
normal
|
Performs normal search and requires a search query in the search option.
|
|
savedsearch
|
Performs search based on a search query saved in splunk and requires the name of the query in the savedSearch option.
|
Example
from("splunk://normal?delay=5s&username=user&password=123&initEarliestTime=-10s&search=search index=myindex sourcetype=someSourcetype")
.to("direct:search-result");
from("splunk://normal?delay=5s&username=user&password=123&initEarliestTime=-10s&search=search index=myindex sourcetype=someSourcetype")
.to("direct:search-result");
camel-splunk creates a route exchange per search result with a SplunkEvent in the body.
URI Options
링크 복사링크가 클립보드에 복사되었습니다!
|
Name
|
Default Value
|
Context
|
Description
|
|---|---|---|---|
|
host
|
localhost
|
Both
|
Splunk host.
|
|
port
|
8089
|
Both
|
Splunk port
|
|
username
|
null
|
Both
|
Username for Splunk
|
|
password
|
null
|
Both
|
Password for Splunk
|
|
connectionTimeout
|
5000
|
Both
|
Timeout in MS when connecting to Splunk server
|
|
useSunHttpsHandler
|
false
|
Both
|
Use sun.net.www.protocol.https.Handler Https hanlder to establish the Splunk Connection. Can be useful when running in application servers to avoid app. server https handling.
|
|
index
|
null
|
Producer
|
Splunk index to write to
|
|
sourceType
|
null
|
Producer
|
Splunk sourcetype arguement
|
|
source
|
null
|
Producer
|
Splunk source arguement
|
|
tcpReceiverPort
|
0
|
Producer
|
Splunk tcp receiver port when using tcp producer endpoint.
|
|
initEarliestTime
|
null
|
Consumer
|
Initial start offset of the first search. Required
|
|
earliestTime
|
null
|
Consumer
|
Earliest time of the search time window.
|
|
latestTime
|
null
|
Consumer
|
Latest time of the search time window.
|
|
count
|
0
|
Consumer
|
A number that indicates the maximum number of entities to return. Note this is not the same as maxMessagesPerPoll which currently is unsupported
|
|
search
|
null
|
Consumer
|
The Splunk query to run
|
|
savedSearch
|
null
|
Consumer
|
The name of the query saved in Splunk to run
|
|
streaming
|
false
|
Consumer
|
Camel 2.14.0 : Stream exchanges as they are received from Splunk, rather than returning all of them in one batch. This has the benefit of receiving results faster, as well as requiring less memory as exchanges aren't buffered in the component.
|
Message body
링크 복사링크가 클립보드에 복사되었습니다!
Splunk operates on data in key/value pairs. The SplunkEvent class is a placeholder for such data, and should be in the message body for the producer. Likewise it will be returned in the body per search result for the consumer.
Use Cases
링크 복사링크가 클립보드에 복사되었습니다!
Search Twitter for tweets with music and publish events to Splunk
from("twitter://search?type=polling&keywords=music&delay=10&consumerKey=abc&consumerSecret=def&accessToken=hij&accessTokenSecret=xxx")
.convertBodyTo(SplunkEvent.class)
.to("splunk://submit?username=foo&password=bar&index=camel-tweets&sourceType=twitter&source=music-tweets");
from("twitter://search?type=polling&keywords=music&delay=10&consumerKey=abc&consumerSecret=def&accessToken=hij&accessTokenSecret=xxx")
.convertBodyTo(SplunkEvent.class)
.to("splunk://submit?username=foo&password=bar&index=camel-tweets&sourceType=twitter&source=music-tweets");
To convert a Tweet to a SplunkEvent you could use a converter like
Search Splunk for tweets
from("splunk://normal?username=foo&password=bar&initEarliestTime=-2m&search=search index=camel-tweets sourcetype=twitter")
.log("${body}");
from("splunk://normal?username=foo&password=bar&initEarliestTime=-2m&search=search index=camel-tweets sourcetype=twitter")
.log("${body}");Other comments
링크 복사링크가 클립보드에 복사되었습니다!
Splunk comes with a variety of options for leveraging machine generated data with prebuilt apps for analyzing and displaying this. For example the jmx app. could be used to publish jmx attributes, eg. route and jvm metrics to Splunk, and displaying this on a dashboard.
See Also
링크 복사링크가 클립보드에 복사되었습니다!
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}