forked from open-telemetry/opentelemetry-collector
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add example showing how to use the HEC raw event parsing endpoint (op…
…en-telemetry#1605) * Add example showing how to use the HEC raw event parsing endpoint * Delete .gitignore * Update docker-compose.yml
- Loading branch information
Showing
4 changed files
with
119 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Splunk Raw HEC example | ||
|
|
||
| This example showcases how the collector can expose a HTTP endpoint to receive data over the HEC endpoint as a raw payload. | ||
|
|
||
| To learn more about HEC raw capabilities, head on to the [HEC documentation](https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/FormateventsforHTTPEventCollector#Raw_event_parsing). | ||
|
|
||
| The example runs as a Docker Compose deployment. | ||
|
|
||
| Splunk is configured to receive data from the OpenTelemetry Collector using the HTTP Event collector. To learn more about HEC, visit [our guide](https://dev.splunk.com/enterprise/docs/dataapps/httpeventcollector/). | ||
|
|
||
| To deploy the example, check out this git repository, open a terminal and in this directory type: | ||
| ```bash | ||
| $> docker-compose up | ||
| ``` | ||
|
|
||
| Splunk will become available on port 18000. You can login on [http://localhost:18000](http://localhost:18000) with `admin` and `changeme`. | ||
|
|
||
| Once logged in, visit the [search application](http://localhost:18000/en-US/app/search) to see the logs collected by Splunk. | ||
|
|
||
| # Using curl locally | ||
|
|
||
| You can send logs to Splunk by sending data via curl with the following command: | ||
|
|
||
| ```bash | ||
| $> curl -XPOST -k localhost:18088/services/collector/raw -d "your message here" | ||
| ``` | ||
|
|
||
| * `18088` is the port we expose our collector's HEC endpoint on the host machine. | ||
| * `/services/collector/raw` is the path to the HEC raw parsing entrypoint. | ||
| * `-k` is a required flag as we talk to localhost, and therefere no SSL certificate checks should take place. | ||
| * The message is sent as the body of a POST request, so `-XPOST` is necessary, and the `-d` flag indicates the data to send. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| version: "3" | ||
| services: | ||
| sender: | ||
| image: ubuntu:latest | ||
| command: 'bash -c "apt update && apt install curl -y && while true; do curl -XPOST -k otelcollector:8088/services/collector/raw -d \"$$(date) new message\"; sleep 5; done"' | ||
| container_name: curl | ||
| # Splunk Enterprise server: | ||
| splunk: | ||
| image: splunk/splunk:latest | ||
| container_name: splunk | ||
| environment: | ||
| - SPLUNK_START_ARGS=--accept-license | ||
| - SPLUNK_HEC_TOKEN=00000000-0000-0000-0000-0000000000000 | ||
| - SPLUNK_PASSWORD=changeme | ||
| ports: | ||
| - 18000:8000 | ||
| healthcheck: | ||
| test: ['CMD', 'curl', '-f', 'http://localhost:8000'] | ||
| interval: 5s | ||
| timeout: 5s | ||
| retries: 20 | ||
| volumes: | ||
| - ./splunk.yml:/tmp/defaults/default.yml | ||
| - /opt/splunk/var | ||
| - /opt/splunk/etc | ||
| # OpenTelemetry Collector | ||
| otelcollector: | ||
| image: quay.io/signalfx/splunk-otel-collector:0.48.0 | ||
| container_name: otelcollector | ||
| command: ["--config=/etc/otel-collector-config.yml"] | ||
| volumes: | ||
| - ./otel-collector-config.yml:/etc/otel-collector-config.yml | ||
| depends_on: | ||
| - splunk | ||
| ports: | ||
| - 18088:8088 |
41 changes: 41 additions & 0 deletions
41
examples/otel-logs-splunk-raw-hec/otel-collector-config.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| receivers: | ||
| splunk_hec/raw: | ||
|
|
||
| exporters: | ||
| splunk_hec/logs: | ||
| # Splunk HTTP Event Collector token. | ||
| token: "00000000-0000-0000-0000-0000000000000" | ||
| # URL to a Splunk instance to send data to. | ||
| endpoint: "https://splunk:8088/services/collector" | ||
| # Optional Splunk source: https://docs.splunk.com/Splexicon:Source | ||
| source: "output" | ||
| # Splunk index, optional name of the Splunk index targeted. | ||
| index: "logs" | ||
| # Maximum HTTP connections to use simultaneously when sending data. Defaults to 100. | ||
| max_connections: 20 | ||
| # Whether to disable gzip compression over HTTP. Defaults to false. | ||
| disable_compression: false | ||
| # HTTP timeout when sending data. Defaults to 10s. | ||
| timeout: 10s | ||
| # Whether to skip checking the certificate of the HEC endpoint when sending data over HTTPS. Defaults to false. | ||
| # For this demo, we use a self-signed certificate on the Splunk docker instance, so this flag is set to true. | ||
| insecure_skip_verify: true | ||
|
|
||
| processors: | ||
| batch: | ||
|
|
||
| extensions: | ||
| health_check: | ||
| endpoint: 0.0.0.0:13133 | ||
| pprof: | ||
| endpoint: :1888 | ||
| zpages: | ||
| endpoint: :55679 | ||
|
|
||
| service: | ||
| extensions: [pprof, zpages, health_check] | ||
| pipelines: | ||
| logs: | ||
| receivers: [splunk_hec/raw] | ||
| processors: [batch] | ||
| exporters: [splunk_hec/logs] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| splunk: | ||
| conf: | ||
| indexes: | ||
| directory: /opt/splunk/etc/apps/search/local | ||
| content: | ||
| logs: | ||
| coldPath: $SPLUNK_DB/logs/colddb | ||
| datatype: event | ||
| homePath: $SPLUNK_DB/logs/db | ||
| maxTotalDataSizeMB: 512000 | ||
| thawedPath: $SPLUNK_DB/logs/thaweddb |