Splunk Source Connector for Confluent Platform
The Connect Splunk Source connector provides a way to integrate Splunk with Apache Kafka®. The connector receives data from applications that would normally send data to a Splunk HTTP Event Collector (HEC).
The connector has support for [X-Forwarded-For] which allows it to be used behind a load balancer.
Note
The connector does not support receiving data from a Splunk Universal Forwarder or Splunk Heavy Forwarder.
Important
This connector listens on a network port. Running more than one connector task or running in distributed mode can cause undesirable effects if another task already has the port open. It is recommended that you run this connector in Standalone Mode.
Prerequisites
The following are required to run the Kafka Connect Splunk Source Connector:
- Kafka Broker: Confluent Platform 3.3.0 or above
- Connect: Confluent Platform 4.1.0 or above
- Java 1.8
Install the Splunk Source Connector
You can install this connector by using the instructions or you can
manually download the ZIP file.
Install the connector using Confluent Hub
- Prerequisite
- Confluent Hub Client must be installed. This is installed by default with Confluent Enterprise.
Navigate to your Confluent Platform installation directory and run the following command to install the latest (latest
) connector version. The connector must be installed on every machine where Connect will run.
confluent-hub install confluentinc/kafka-connect-splunk-source:latest
You can install a specific version by replacing latest
with a version number. For example:
confluent-hub install confluentinc/kafka-connect-splunk-source:1.0.0-preview
Quick Start
This quick start uses the Splunk Source Connector to receive application data ingest it into Kafka.
Install the connector using the Confluent Hub Client.
# run from your CP installation directory
confluent-hub install confluentinc/kafka-connect-splunk-source:latest
Start the Confluent Platform.
Tip
The command syntax for the Confluent CLI development commands changed in 5.3.0.
These commands have been moved to confluent local
. For example, the syntax for confluent start
is now
confluent local services start
. For more information, see confluent local.
confluent local services start
Create a splunk-source.properties
file with the following contents:
name=splunk-source
kafka.topic=splunk-source
tasks.max=1
connector.class=io.confluent.connect.SplunkHttpSourceConnector
splunk.collector.index.default=default-index
splunk.port=8889
splunk.ssl.key.store.path=/path/to/your/keystore.jks
splunk.ssl.key.store.password=<keystore password>
confluent.topic.bootstrap.servers=localhost:9092
confluent.topic.replication.factor=1
Load the Splunk Source Connector.
confluent local services connect connector load splunk-source --config splunk-source.properties
Important
Don’t use the Confluent CLI in production environments.
Confirm that the connector is in a RUNNING
state.
confluent local services connect connector status splunk-source
Simulate an application sending data to the connector.
curl -k -X POST https://localhost:8889/services/collector/event -d '{"event":"from curl"}'
Verify the data was ingested into the Kafka topic.
kafka-avro-console-consumer --bootstrap-server localhost:9092 --topic splunk-source --from-beginning
Shut down Confluent Platform.