Splunk Enterprise plugin

For more information about what this plugin does and the data streams it retrieves, see:

Splunk

Monitor any events or metrics and retrieve reports from your Splunk Enterprise environment using custom SPL queries.

This is an on-prem data source.

This data source is of great use in addition to other data sources. It enables you to get different kinds of data and insights about objects that have been indexed by other data sources.

How to add the data source

To add a data source click on the + next to Data Sources on the left-hand menu in SquaredUp. Search for the data source and click on it to open the Configure data source page.

Configuring and deploying an agent

If you have already created an agent in SquaredUp that you can use for this data source, you can skip this step and choose the agent group you want to use while adding the data source.

See one of the following, depending on your platform type:

Configuring the data source

  1. Display Name:
    Enter a name for your data source. This helps you to identify this data source in the list of your data sources.

  2. Agent Group:
    Select the Agent Group that contains the agent(s) you want to use.

  3. Splunk Enterprise URL:
    Enter the URL for your Splunk Enterprise server.
  4. For accessing your Splunk instance you need to enter either a token or your Splunk user name and password.
    If you use a token:
    Create a token in your Splunk instance and paste it in here.
    If you use your Splunk user name and password:
    Enter the user name and password you use to log in to your Splunk instance.
  5. Ignore Certificate errors:
    If you activate this checkbox the data source will ignore certificate errors when accessing the Splunk Enterprise server.
  6. Optionally, select whether you would like to restrict access to this data source instance. By default, restricted access is set to off.

  7. Click Add.

    You can also add a data source from Settings > Data Sources > Add data source, but sample dashboards are not added when using this method.

  8. The data source is now added. To be able to use it, you need to create a custom Data Stream for this data source.

Using the Splunk data streams

Data streams

The following data streams are installed with this plugin.

Writing a custom data stream (advanced users)

  1. In SquaredUp, browse to Settings > Advanced > Data Streams.
  2. Click Add custom data stream.
  3. Add your custom data stream by entering the following settings:
    1. Name:
      Enter a display name for your data stream.

      The display name is the name that you use to identify your data stream in SquaredUp. It has no technical impact and doesn't need to be referenced in the data stream's code.

    2. Data source:
      Choose the data source this data stream is for.
      After you've chosen the data source the Entry Point field displays.
    3. Entry Point:
      Specify the data stream entry point and enter the Code below.
      To find out which entry point to select and get code examples for the Code field, see the help below.
  4. Click Save to save your data stream.

Example 1: Get Windows Event Log Entries for Given Hosts

This Data Stream uses Host objects which need to come from a different data source (for example, from the VMware vCenter data source), and performs a query to get Windows application log event messages.

Which entry point do I have to select from the dropdown?

Splunk Enterprise Query (Scoped)

Code example:

{
  "name": "SplunkAppEventsForHost",
  "dataSourceConfig": {
    "query": "search source=\"WinEventLog:Application\" | where host = \"{{name}}\" | fields host,Message"
  },
  "matches": {
    "type": {
      "type": "equals",
        "value": "host"
      }
   },
  "rowPath": [],
  "metadata": [
    { "name": "_indextime", "displayName": "Timestamp", "shape": "date",    "role": "timestamp" },
    { "name": "host",       "displayName": "Host",      "shape": "string" },
    { "name": "Message",    "displayName": "Message",   "shape": "string",  "role": "value" }
  ]
}

Example 2: Get Results for Saved Report

Note: This Data Stream uses the Splunk Enterprise organization object and doesn't rely on objects coming from other data sources.

Which entry point do I have to select from the dropdown?

Splunk Enterprise Query (Scoped)

Code example:

{
  "name": "SplunkRunMySavedReport",
  "dataSourceConfig": {
    "query": "| savedsearch mySavedReport | fields host,Message"
  },
  "matches": { 
    "sourceType": { "type": "equals", "value": "Splunk Enterprise Organization" } 
  },
  "rowPath": [],
  "metadata": [
    { "name": "_indextime", "displayName": "Timestamp", "shape": "date",    "role": "timestamp" },
    { "name": "host",       "displayName": "Host",      "shape": "string" },
    { "name": "Message",    "displayName": "Message",   "shape": "string",  "role": "value" }
  ]
}

Example 3: Get Time-Series Data for Metric

Note: This Data Stream uses the Splunk Enterprise organization object and doesn't rely on objects coming from other data sources.

Which entry point do I have to select from the dropdown?

Splunk Enterprise Query (Scoped)

Code example:

{
  "name": "SplunkMpoolUsedMetric",
  "dataSourceConfig": {
    "query": "| mstats avg(\"spl.mlog.mpool.used\") WHERE \"index\"=\"_metrics\" span=60s chart=true"
  },
  "matches": { 
    "sourceType": { "type": "equals", "value": "Splunk Enterprise Organization" } 
  },
  "rowPath": [],
  "metadata": [
    { "name": "_time",                    "displayName": "Timestamp", "shape": "date",    "role": "timestamp" },
    { "name": "avg(spl.mlog.mpool.used)", "displayName": "Value",     "shape": "number",  "role": "value" }
  ]
}

Was this article helpful?


Have more questions or facing an issue?