Splunk Sink Connector for Confluent Cloud

Note

This is a Quick Start for the managed cloud connector. If you are installing the connector locally for Confluent Platform, see Splunk Sink Connector for Confluent Platform.

The Splunk Sink connector is used to move messages from Apache Kafka® to Splunk using the Splunk HTTP Event Collector (HEC).

Features

The Splunk Sink connector supports the following features:

  • At least once delivery: This connector guarantees that records from the Kafka topic are delivered at least once.
  • Supports multiple tasks: The connector supports running one or more tasks. More tasks may improve performance (that is, consumer lag is reduced with multiple tasks running).

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect section.

Limitations

Be sure to review the following information.

Quick Start

Use this quick start to get up and running with the Confluent Cloud Splunk Sink connector. The quick start provides the basics of selecting the connector and configuring it to stream events to Splunk.

Prerequisites
  • Authorized access to a Confluent Cloud cluster on Amazon Web Services (AWS), Microsoft Azure (Azure), or Google Cloud Platform (GCP).
  • The Confluent CLI installed and configured for the cluster. See Install the Confluent CLI.
  • Authorized access to Splunk.
  • Schema Registry must be enabled to use a Schema Registry-based format (for example, Avro, JSON_SR (JSON Schema), or Protobuf). See Schema Registry Enabled Environments for additional information.
  • At least one source Kafka topic must exist in your Confluent Cloud cluster before creating the sink connector.

Using the Confluent Cloud Console

Step 1: Launch your Confluent Cloud cluster.

See the Quick Start for Confluent Cloud for installation instructions.

Step 2: Add a connector.

In the left navigation menu, click Connectors. If you already have connectors in your cluster, click + Add connector.

Step 3: Select your connector.

Click the Splunk Sink connector card.

Splunk Sink Connector Card

Step 4: Enter the connector details.

Note

  • Make sure you have all your prerequisites completed.
  • An asterisk ( * ) designates a required entry.
  • Descriptions for optional UI properties are not provided in the following steps. See Configuration Properties for configuration property values and descriptions.

At the Add Splunk Sink Connector screen, complete the following:

If you’ve already populated your Kafka topics, select the topic(s) you want to connect from the Topics list.

To create a new topic, click +Add new topic.

Step 5: Check for records.

Verify that records are being produced at Splunk.

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect section.

Tip

When you launch a connector, a Dead Letter Queue topic is automatically created. See Confluent Cloud Dead Letter Queue for details.

Using the Confluent CLI

To set up and run the connector using the Confluent CLI, complete the following steps.

Note

  • Make sure you have all your prerequisites completed.
  • The example commands use Confluent CLI version 2. For more information see, Confluent CLI v2.

Step 1: List the available connectors.

Enter the following command to list available connectors:

confluent connect plugin list

Step 2: Show the required connector configuration properties.

Enter the following command to show the required connector properties:

confluent connect plugin describe <connector-catalog-name>

For example:

confluent connect plugin describe SplunkSink

Example output:

Following are the required configs:
connector.class: SplunkSink
topics
input.data.format
name
kafka.api.key
kafka.api.secret
splunk.hec.uri
splunk.hec.token
tasks.max

Step 3: Create the connector configuration file.

Create a JSON file that contains the connector configuration properties. The following example shows the required connector properties.

{
  "connector.class": "SplunkSink",
  "topics": "orders",
  "name": "SplunkSinkConnector_0",
  "input.data.format": "AVRO",
  "kafka.auth.mode": "KAFKA_API_KEY",
  "kafka.api.key": "<my-kafka-api-key>",
  "kafka.api.secret": "<my-kafka-api-secret>",
  "splunk.hec.uri": "https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088",
  "splunk.hec.token": "<token>",
  "tasks.max": "1",

}

Note the following property definitions:

  • "connector.class": Identifies the connector plugin name.
  • "input.data.format": Sets the input Kafka record value format (data coming from the Kafka topic). Valid entries are AVRO, JSON_SR, PROTOBUF, JSON, or STRING. You must have Confluent Cloud Schema Registry configured if using a schema-based message format (for example, Avro, JSON_SR (JSON Schema), or Protobuf).
  • "name": Sets a name for your new connector.
  • "kafka.auth.mode": Identifies the connector authentication mode you want to use. There are two options: SERVICE_ACCOUNT or KAFKA_API_KEY (the default). To use an API key and secret, specify the configuration properties kafka.api.key and kafka.api.secret, as shown in the example configuration (above). To use a service account, specify the Resource ID in the property kafka.service.account.id=<service-account-resource-ID>. To list the available service account resource IDs, use the following command:

    confluent iam service-account list
    

    For example:

    confluent iam service-account list
    
       Id     | Resource ID |       Name        |    Description
    +---------+-------------+-------------------+-------------------
       123456 | sa-l1r23m   | sa-1              | Service account 1
       789101 | sa-l4d56p   | sa-2              | Service account 2
    
  • "splunk.hec.uri": Add a comma-separated list of FQDNs or IP addresses for all Splunk indexers, or add a load balancer. For Splunk indexers, load balancing uses round-robin scheduling. Example: https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088.

  • "splunk.hec.token": Add the Splunk HTTP Event Collector token.

  • "tasks.max": Enter the maximum number of tasks for the connector to use. More tasks may improve performance.

  • "topics": Enter the topic name or a comma-separated list of topic names.

Single Message Transforms: See the Single Message Transforms (SMT) documentation for details about adding SMTs using the CLI.

See Configuration Properties for all property values and descriptions.

Step 3: Load the properties file and create the connector.

Enter the following command to load the configuration and start the connector:

confluent connect create --config <file-name>.json

For example:

confluent connect create --config splunk-sink-config.json

Example output:

Created connector SplunkSinkConnector_0 lcc-do6vzd

Step 4: Check the connector status.

Enter the following command to check the connector status:

confluent connect list

Example output:

ID           |             Name                | Status  | Type | Trace
+------------+---------------------------------+---------+------+-------+
lcc-do6vzd   | SplunkSinkConnector_0           | RUNNING | sink |       |

Step 5: Check for records.

Verify that records are populating Splunk.

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect section.

Tip

When you launch a connector, a Dead Letter Queue topic is automatically created. See Confluent Cloud Dead Letter Queue for details.

Configuration Properties

Use the following configuration properties with this connector.

Note

These are properties for the managed cloud connector. If you are installing the connector locally for Confluent Platform, see Splunk Sink Connector for Confluent Platform.

Which topics do you want to get data from?

topics

Identifies the topic name or a comma-separated list of topic names.

  • Type: list
  • Importance: high

Input messages

input.data.format

Sets the input Kafka record value format. Valid entries are AVRO, JSON, JSON_SR, PROTOBUF, or STRING. Note that you need to have Confluent Cloud Schema Registry configured if using a schema-based message format like AVRO, JSON_SR, and PROTOBUF.

  • Type: string
  • Importance: high

How should we connect to your data?

name

Sets a name for your connector.

  • Type: string
  • Valid Values: A string at most 64 characters long
  • Importance: high

Kafka Cluster credentials

kafka.auth.mode

Kafka Authentication mode. It can be one of KAFKA_API_KEY or SERVICE_ACCOUNT. It defaults to KAFKA_API_KEY mode.

  • Type: string
  • Default: KAFKA_API_KEY
  • Valid Values: KAFKA_API_KEY, SERVICE_ACCOUNT
  • Importance: high
kafka.api.key
  • Type: password
  • Importance: high
kafka.service.account.id

The Service Account that will be used to generate the API keys to communicate with Kafka Cluster.

  • Type: string
  • Importance: high
kafka.api.secret
  • Type: password
  • Importance: high

How should we connect to Splunk?

splunk.hec.uri

Either a list of FQDNs or IPs of all Splunk indexers, separated with a ‘,’ or a load balancer. The connector will load balance to indexers using round robin. Example: https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088.

  • Type: string
  • Importance: high
splunk.hec.token

Splunk HTTP Event Collector token.

  • Type: password
  • Importance: high
splunk.hec.ssl.validate.certs

Enables or disables HTTPS certification validation.

  • Type: boolean
  • Default: true
  • Importance: medium
splunk.hec.ssl.trust.store.file

The certificate trust store containing the certificates required to validate the SSL connection.

  • Type: password
  • Default: [hidden]
  • Importance: high
splunk.hec.ssl.trust.store.password

Password for the certificate trust store.

  • Type: password
  • Importance: high

Metadata configuration

splunk.indexes

Splunk index names for Kafka topic data separated by comma for multiple topics to indexers (“prod-index1,prod-index2,prod-index3”).

  • Type: string
  • Default: default
  • Importance: medium
splunk.sourcetypes

Splunk event sourcetype metadata for Kafka topic data.

  • Type: string
  • Importance: medium
splunk.sources

Splunk event source metadata for Kafka topic data.

  • Type: string
  • Importance: medium

Endpoint configuration

splunk.hec.raw

When set to true, the connector ingests data using the the /raw HEC endpoint.

  • Type: boolean
  • Default: false
  • Importance: medium
splunk.hec.raw.line.breaker

Only applicable to /raw HEC endpoint. The setting is used to specify a custom line breaker to help Splunk separate the events correctly.

  • Type: string
  • Importance: medium
splunk.hec.json.event.enrichment

Only applicable to /event HEC endpoint. This setting is used to enrich raw data with extra metadata fields. It contains a list of key value pairs separated by “,”.

  • Type: string
  • Importance: low
splunk.hec.track.data

Only applicable to /event HEC endpoint. When set to true, data loss and data injection latency metadata will be indexed along with raw data.

  • Type: boolean
  • Default: false
  • Importance: low

HEC configuration

splunk.hec.http.keepalive

Enables or disables HTTP connection keep-alive.

  • Type: boolean
  • Default: true
  • Importance: medium
splunk.hec.max.http.connection.per.channel

Max HTTP connections pooled for one HEC Channel when posting events to Splunk.

  • Type: int
  • Default: 2
  • Importance: medium
splunk.hec.total.channels

Total HEC Channels used to post events to Splunk.

  • Type: int
  • Default: 2
  • Importance: high
splunk.hec.socket.timeout

Max duration in seconds to read / write data to network before internal TCP Socket timeout.

  • Type: int
  • Default: 60
  • Importance: low
splunk.hec.use.record.timestamp

When set to true, The timestamp is retrieved from the Kafka record and passed to Splunk as a HEC metadata override.

  • Type: boolean
  • Default: true
  • Importance: medium
splunk.hec.threads

The number of threads spawned to do data injection via HEC in a single connector task.

  • Type: int
  • Default: 1
  • Valid Values: [1,…,10]
  • Importance: low
splunk.hec.max.outstanding.events

Maximum amount of unacknowledged events kept in memory by connector. Will trigger back-pressure event to slow collection.

  • Type: int
  • Default: 10000
  • Valid Values: [10000,…,100000]
  • Importance: medium
splunk.hec.max.retries

Number of retries for failed batches before giving up. By default this is set to -1 which will retry indefinitely.

  • Type: int
  • Default: -1
  • Importance: medium
splunk.hec.backoff.threshhold.seconds

The amount of time the connector waits on errors sending events to Splunk to attempt resending it.

  • Type: int
  • Default: 60
  • Importance: medium
splunk.hec.json.event.formatted

Set to true for events that are already in HEC format.

  • Type: boolean
  • Default: false
  • Importance: low
splunk.hec.max.batch.size

Maximum batch size when posting events to Splunk. The size is the actual number of Kafka events not the byte size.

  • Type: int
  • Default: 500
  • Importance: medium
splunk.hec.lb.poll.interval

This setting controls the load balancer polling interval.

  • Type: int
  • Default: 120
  • Importance: low
splunk.flush.window

The interval in seconds at which the events from kafka will be flushed to Splunk.

  • Type: int
  • Default: 30
  • Importance: low

Acknowledgement configuration

splunk.hec.ack.enabled

When set to true the connector will poll event ACKs for POST events before check-pointing the Kafka offsets. This is used to prevent data loss, as this setting implements guaranteed delivery.

  • Type: boolean
  • Default: false
  • Importance: medium
splunk.hec.ack.poll.interval

This setting is only applicable when splunk.hec.ack.enabled is set to true. Internally it controls the event ACKs polling interval.

  • Type: int
  • Default: 10
  • Importance: medium
splunk.hec.ack.poll.threads

This setting is only applicable when splunk.hec.ack.enabled is set to true. It controls how many threads should be spawned to poll event ACKs.

  • Type: int
  • Default: 1
  • Valid Values: [1,…,10]
  • Importance: medium
splunk.hec.event.timeout

This setting is only applicable when splunk.hec.ack.enabled is set to true. When events are POSTed to Splunk and before they are ACKed, this setting determines how long the connector will wait before timing out and resending.

  • Type: int
  • Default: 300
  • Importance: medium

Headers configuration

splunk.header.support

When set to true the connector will parse Kafka headers for use as metadata in Splunk events.

  • Type: boolean
  • Default: false
  • Importance: medium
splunk.header.custom

This setting will look for kafka record headers with these values and add them to each event if present. Custom headers are configured separated by comma for multiple headers. Example: “custom_header_1,custom_header_2,custom_header_3”.

  • Type: string
  • Importance: medium
splunk.header.index

Header to use for Splunk Header Index

  • Type: string
  • Default: splunk.header.index
  • Importance: medium
splunk.header.source

Header to use for Splunk Header Source

  • Type: string
  • Default: splunk.header.source
  • Importance: medium
splunk.header.sourcetype

Header to use for Splunk Header Sourcetype

  • Type: string
  • Default: splunk.header.sourcetype
  • Importance: medium
splunk.header.host

Header to use for Splunk Header Host

  • Type: string
  • Default: splunk.header.host
  • Importance: medium

Number of tasks for this connector

tasks.max
  • Type: int
  • Valid Values: [1,…]
  • Importance: high

Next Steps

See also

For an example that shows fully-managed Confluent Cloud connectors in action with Confluent Cloud ksqlDB, see the Cloud ETL Demo. This example also shows how to use Confluent CLI to manage your resources in Confluent Cloud.

../_images/topology.png