-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Testing the `splunk` sink
Run Splunk in Docker with:
docker run -d -p 8000:8000 -p 8088:8088 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=norknork" --name splunk splunk/splunk:latestVisit http://localhost:8000 in browser.
Log in as admin, password norknork.
From the menu go to Settings -> Data inputs. Click on Add new for an HTTP Event Collector.
Give the collector a name, click Next.
Add main to the Selected Allowed Indexes. Click Review and Submit.
Make a note of the Token Value, you will need to add this to your Vector config.
If setting up an http source you may want to turn off tls if you want to easily test.
To turn off TLS so we can send data unencrypted go to http://localhost:8000/en-GB/manager/search/http-eventcollector
Hit Global Settings and untick Enable SSL. You need to do this every time Docker restarts.
To search go to http://localhost:8000/en-GB/app/launcher/search. Enter search criteria of index = "main".
Configure a sink in Vector with something like this:
[sinks.splunk]
type = "splunk_hec_logs"
inputs = ["<some_input>"]
endpoint = "http://localhost:8088"
encoding.codec = "json"
default_token = "<the token you noted down earlier>"
index = "main"
host_key = "host"
indexed_fields = ["message"]
sourcetype = "Application"
source = "{{ source }}"