Splunk Sink Connector for Confluent Cloud

The fully-managed Splunk Sink connector for Confluent Cloud is used to move messages from Apache Kafka® to Splunk using the Splunk HTTP Event Collector (HEC).

Note

Features

The Splunk Sink connector supports the following features:

  • At least once delivery: This connector guarantees that records from the Kafka topic are delivered at least once.
  • Supports multiple tasks: The connector supports running one or more tasks. More tasks may improve performance (that is, consumer lag is reduced with multiple tasks running).

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.

Limitations

Be sure to review the following information.

Quick Start

Use this quick start to get up and running with the Confluent Cloud Splunk Sink connector. The quick start provides the basics of selecting the connector and configuring it to stream events to Splunk.

Prerequisites
  • Authorized access to a Confluent Cloud cluster on Amazon Web Services (AWS), Microsoft Azure (Azure), or Google Cloud.
  • The Confluent CLI installed and configured for the cluster. See Install the Confluent CLI.
  • Authorized access to Splunk.
  • Schema Registry must be enabled to use a Schema Registry-based format (for example, Avro, JSON_SR (JSON Schema), or Protobuf). See Schema Registry Enabled Environments for additional information.
  • At least one source Kafka topic must exist in your Confluent Cloud cluster before creating the sink connector.

Using the Confluent Cloud Console

Step 1: Launch your Confluent Cloud cluster

See the Quick Start for Confluent Cloud for installation instructions.

Step 2: Add a connector

In the left navigation menu, click Connectors. If you already have connectors in your cluster, click + Add connector.

Step 3: Select your connector

Click the Splunk Sink connector card.

Splunk Sink Connector Card

Step 4: Enter the connector details

Note

  • Make sure you have all your prerequisites completed.
  • An asterisk ( * ) designates a required entry.
  • Descriptions for optional UI properties are not provided in the following steps. See Configuration Properties for configuration property values and descriptions.

At the Add Splunk Sink Connector screen, complete the following:

If you’ve already populated your Kafka topics, select the topics you want to connect from the Topics list.

To create a new topic, click +Add new topic.

Step 5: Check for records

Verify that records are being produced at Splunk.

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.

Tip

When you launch a connector, a Dead Letter Queue topic is automatically created. See View Connector Dead Letter Queue Errors in Confluent Cloud for details.

Using the Confluent CLI

To set up and run the connector using the Confluent CLI, complete the following steps.

Note

Make sure you have all your prerequisites completed.

Step 1: List the available connectors

Enter the following command to list available connectors:

confluent connect plugin list

Step 2: List the connector configuration properties

Enter the following command to show the connector configuration properties:

confluent connect plugin describe <connector-plugin-name>

The command output shows the required and optional configuration properties.

Step 3: Create the connector configuration file

Create a JSON file that contains the connector configuration properties. The following example shows the required connector properties.

{
  "connector.class": "SplunkSink",
  "topics": "orders",
  "name": "SplunkSinkConnector_0",
  "input.data.format": "AVRO",
  "kafka.auth.mode": "KAFKA_API_KEY",
  "kafka.api.key": "<my-kafka-api-key>",
  "kafka.api.secret": "<my-kafka-api-secret>",
  "splunk.hec.uri": "https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088",
  "splunk.hec.token": "<token>",
  "tasks.max": "1",

}

Note the following property definitions:

  • "connector.class": Identifies the connector plugin name.
  • "input.data.format": Sets the input Kafka record value format (data coming from the Kafka topic). Valid entries are AVRO, JSON_SR, PROTOBUF, JSON, or STRING. You must have Confluent Cloud Schema Registry configured if using a schema-based message format (for example, Avro, JSON_SR (JSON Schema), or Protobuf).
  • "name": Sets a name for your new connector.

  • "kafka.auth.mode": Identifies the connector authentication mode you want to use. There are two options: SERVICE_ACCOUNT or KAFKA_API_KEY (the default). To use an API key and secret, specify the configuration properties kafka.api.key and kafka.api.secret, as shown in the example configuration (above). To use a service account, specify the Resource ID in the property kafka.service.account.id=<service-account-resource-ID>. To list the available service account resource IDs, use the following command:

    confluent iam service-account list

    For example:

    confluent iam service-account list

   Id     | Resource ID |       Name        |    Description
+---------+-------------+-------------------+-------------------
   123456 | sa-l1r23m   | sa-1              | Service account 1
   789101 | sa-l4d56p   | sa-2              | Service account 2

  • "splunk.hec.uri": Add a comma-separated list of FQDNs or IP addresses for all Splunk indexers, or add a load balancer. For Splunk indexers, load balancing uses round-robin scheduling. Example: https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088.

  • "splunk.hec.token": Add the Splunk HTTP Event Collector token.

  • "tasks.max": Enter the maximum number of tasks for the connector to use. More tasks may improve performance.

  • "topics": Enter the topic name or a comma-separated list of topic names.

Single Message Transforms: See the Single Message Transforms (SMT) documentation for details about adding SMTs using the CLI.

See Configuration Properties for all property values and descriptions.

Step 3: Load the properties file and create the connector

Enter the following command to load the configuration and start the connector:

confluent connect cluster create --config-file <file-name>.json

For example:

confluent connect cluster create --config-file splunk-sink-config.json

Example output:

Created connector SplunkSinkConnector_0 lcc-do6vzd

Step 4: Check the connector status.

Enter the following command to check the connector status:

confluent connect cluster list

Example output:

ID           |             Name                | Status  | Type | Trace
+------------+---------------------------------+---------+------+-------+
lcc-do6vzd   | SplunkSinkConnector_0           | RUNNING | sink |       |

Step 5: Check for records

Verify that records are populating Splunk.

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.

Tip

When you launch a connector, a Dead Letter Queue topic is automatically created. See View Connector Dead Letter Queue Errors in Confluent Cloud for details.

Configuration Properties

Use the following configuration properties with the fully-managed connector. For self-managed connector property definitions and other details, see the connector docs in Self-managed connectors for Confluent Platform.

Which topics do you want to get data from?

topics

Identifies the topic name or a comma-separated list of topic names.

  • Type: list
  • Importance: high

Schema Config

schema.context.name

Add a schema context name. A schema context represents an independent scope in Schema Registry. It is a separate sub-schema tied to topics in different Kafka clusters that share the same Schema Registry instance. If not used, the connector uses the default schema configured for Schema Registry in your Confluent Cloud environment.

  • Type: string
  • Default: default
  • Importance: medium

Input messages

input.data.format

Sets the input Kafka record value format. Valid entries are AVRO, JSON, JSON_SR, PROTOBUF, or STRING. Note that you need to have Confluent Cloud Schema Registry configured if using a schema-based message format like AVRO, JSON_SR, and PROTOBUF.

  • Type: string
  • Importance: high

How should we connect to your data?

name

Sets a name for your connector.

  • Type: string
  • Valid Values: A string at most 64 characters long
  • Importance: high

Kafka Cluster credentials

kafka.auth.mode

Kafka Authentication mode. It can be one of KAFKA_API_KEY or SERVICE_ACCOUNT. It defaults to KAFKA_API_KEY mode.

  • Type: string
  • Default: KAFKA_API_KEY
  • Valid Values: KAFKA_API_KEY, SERVICE_ACCOUNT
  • Importance: high
kafka.api.key

Kafka API Key. Required when kafka.auth.mode==KAFKA_API_KEY.

  • Type: password
  • Importance: high
kafka.service.account.id

The Service Account that will be used to generate the API keys to communicate with Kafka Cluster.

  • Type: string
  • Importance: high
kafka.api.secret

Secret associated with Kafka API key. Required when kafka.auth.mode==KAFKA_API_KEY.

  • Type: password
  • Importance: high

How should we connect to Splunk?

splunk.hec.uri

Either a list of FQDNs or IPs of all Splunk indexers, separated with a ‘,’ or a load balancer. The connector will load balance to indexers using round robin. Example: https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088.

  • Type: string
  • Importance: high
splunk.hec.token

Splunk HTTP Event Collector token.

  • Type: password
  • Importance: high
splunk.hec.ssl.validate.certs

Enables or disables HTTPS certification validation.

  • Type: boolean
  • Default: true
  • Importance: medium
splunk.hec.ssl.trust.store.file

The certificate trust store containing the certificates required to validate the SSL connection.

  • Type: password
  • Default: [hidden]
  • Importance: high
splunk.hec.ssl.trust.store.password

Password for the certificate trust store.

  • Type: password
  • Importance: high

Metadata configuration

splunk.indexes

Splunk index names for Kafka topic data separated by comma for multiple topics to indexers (“prod-index1,prod-index2,prod-index3”).

  • Type: string
  • Default: default
  • Importance: medium
splunk.sourcetypes

Splunk event sourcetype metadata for Kafka topic data.

  • Type: string
  • Importance: medium
splunk.sources

Splunk event source metadata for Kafka topic data.

  • Type: string
  • Importance: medium

Endpoint configuration

splunk.hec.raw

When set to true, the connector ingests data using the the /raw HEC endpoint.

  • Type: boolean
  • Default: false
  • Importance: medium
splunk.hec.raw.line.breaker

Only applicable to /raw HEC endpoint. The setting is used to specify a custom line breaker to help Splunk separate the events correctly.

  • Type: string
  • Importance: medium
splunk.hec.json.event.enrichment

Only applicable to /event HEC endpoint. This setting is used to enrich raw data with extra metadata fields. It contains a list of key value pairs separated by “,”.

  • Type: string
  • Importance: low
splunk.hec.track.data

Only applicable to /event HEC endpoint. When set to true, data loss and data injection latency metadata will be indexed along with raw data.

  • Type: boolean
  • Default: false
  • Importance: low

HEC configuration

splunk.hec.http.keepalive

Enables or disables HTTP connection keep-alive.

  • Type: boolean
  • Default: true
  • Importance: medium
splunk.hec.max.http.connection.per.channel

Max HTTP connections pooled for one HEC Channel when posting events to Splunk.

  • Type: int
  • Default: 2
  • Importance: medium
splunk.hec.total.channels

Total HEC Channels used to post events to Splunk.

  • Type: int
  • Default: 2
  • Importance: high
splunk.hec.socket.timeout

Max duration in seconds to read / write data to network before internal TCP Socket timeout.

  • Type: int
  • Default: 10
  • Importance: low
splunk.hec.use.record.timestamp

When set to true, The timestamp is retrieved from the Kafka record and passed to Splunk as a HEC metadata override.

  • Type: boolean
  • Default: true
  • Importance: medium
splunk.hec.threads

The number of threads spawned to do data injection via HEC in a single connector task.

  • Type: int
  • Default: 1
  • Valid Values: [1,…,10]
  • Importance: low
splunk.hec.max.outstanding.events

Maximum amount of unacknowledged events kept in memory by connector. Will trigger back-pressure event to slow collection.

  • Type: int
  • Default: 10000
  • Valid Values: [10000,…,100000]
  • Importance: medium
splunk.hec.max.retries

Number of retries for failed batches before giving up. By default this is set to -1 which will retry indefinitely.

  • Type: int
  • Default: -1
  • Importance: medium
splunk.hec.backoff.threshhold.seconds

The amount of time the connector waits on errors sending events to Splunk to attempt resending it.

  • Type: int
  • Default: 60
  • Importance: medium
splunk.hec.json.event.formatted

Set to true for events that are already in HEC format.

  • Type: boolean
  • Default: false
  • Importance: low
splunk.hec.max.batch.size

Maximum batch size when posting events to Splunk. The size is the actual number of Kafka events not the byte size.

  • Type: int
  • Default: 500
  • Importance: medium
splunk.hec.lb.poll.interval

This setting controls the load balancer polling interval.

  • Type: int
  • Default: 120
  • Importance: low
splunk.flush.window

The interval in seconds at which the events from kafka will be flushed to Splunk.

  • Type: int
  • Default: 30
  • Importance: low

Acknowledgement configuration

splunk.hec.ack.enabled

When set to true the connector will poll event ACKs for POST events before check-pointing the Kafka offsets. This is used to prevent data loss, as this setting implements guaranteed delivery.

  • Type: boolean
  • Default: false
  • Importance: medium
splunk.hec.ack.poll.interval

This setting is only applicable when splunk.hec.ack.enabled is set to true. Internally it controls the event ACKs polling interval.

  • Type: int
  • Default: 10
  • Importance: medium
splunk.hec.ack.poll.threads

This setting is only applicable when splunk.hec.ack.enabled is set to true. It controls how many threads should be spawned to poll event ACKs.

  • Type: int
  • Default: 1
  • Valid Values: [1,…,10]
  • Importance: medium
splunk.hec.event.timeout

This setting is only applicable when splunk.hec.ack.enabled is set to true. When events are POSTed to Splunk and before they are ACKed, this setting determines how long the connector will wait before timing out and resending.

  • Type: int
  • Default: 300
  • Importance: medium

Headers configuration

splunk.header.support

When set to true the connector will parse Kafka headers for use as metadata in Splunk events.

  • Type: boolean
  • Default: false
  • Importance: medium
splunk.header.custom

This setting will look for kafka record headers with these values and add them to each event if present. Custom headers are configured separated by comma for multiple headers. Example: “custom_header_1,custom_header_2,custom_header_3”.

  • Type: string
  • Importance: medium
splunk.header.index

Header to use for Splunk Header Index

  • Type: string
  • Default: splunk.header.index
  • Importance: medium
splunk.header.source

Header to use for Splunk Header Source

  • Type: string
  • Default: splunk.header.source
  • Importance: medium
splunk.header.sourcetype

Header to use for Splunk Header Sourcetype

  • Type: string
  • Default: splunk.header.sourcetype
  • Importance: medium
splunk.header.host

Header to use for Splunk Header Host

  • Type: string
  • Default: splunk.header.host
  • Importance: medium

Consumer configuration

max.poll.interval.ms

The maximum delay between subsequent consume requests to Kafka. This configuration property may be used to improve the performance of the connector, if the connector cannot send records to the sink system. Defaults to 300000 milliseconds (5 minutes).

  • Type: long
  • Default: 300000 (5 minutes)
  • Valid Values: [60000,…,1800000] for non-dedicated clusters and [60000,…] for dedicated clusters
  • Importance: low
max.poll.records

The maximum number of records to consume from Kafka in a single request. This configuration property may be used to improve the performance of the connector, if the connector cannot send records to the sink system. Defaults to 500 records.

  • Type: long
  • Default: 500
  • Valid Values: [1,…,500] for non-dedicated clusters and [1,…] for dedicated clusters
  • Importance: low

Number of tasks for this connector

tasks.max

Maximum number of tasks for the connector.

  • Type: int
  • Valid Values: [1,…]
  • Importance: high

Auto-restart policy

auto.restart.on.user.error

Enable connector to automatically restart on user-actionable errors.

  • Type: boolean
  • Default: true
  • Importance: medium

Additional Configs

consumer.override.auto.offset.reset

Defines the behavior of the consumer when there is no committed position (which occurs when the group is first initialized) or when an offset is out of range. You can choose either to reset the position to the “earliest” offset or the “latest” offset (the default). You can also select “none” if you would rather set the initial offset yourself and you are willing to handle out of range errors manually. More details: https://docs.confluent.io/platform/current/installation/configuration/consumer-configs.html#auto-offset-reset

  • Type: string
  • Importance: low
consumer.override.isolation.level

Controls how to read messages written transactionally. If set to read_committed, consumer.poll() will only return transactional messages which have been committed. If set to read_uncommitted (the default), consumer.poll() will return all messages, even transactional messages which have been aborted. Non-transactional messages will be returned unconditionally in either mode. More details: https://docs.confluent.io/platform/current/installation/configuration/consumer-configs.html#isolation-level

  • Type: string
  • Importance: low
header.converter

The converter class for the headers. This is used to serialize and deserialize the headers of the messages.

  • Type: string
  • Importance: low
value.converter.allow.optional.map.keys

Allow optional string map key when converting from Connect Schema to Avro Schema. Applicable for Avro Converters.

  • Type: boolean
  • Importance: low
value.converter.auto.register.schemas

Specify if the Serializer should attempt to register the Schema.

  • Type: boolean
  • Importance: low
value.converter.connect.meta.data

Allow the Connect converter to add its metadata to the output schema. Applicable for Avro Converters.

  • Type: boolean
  • Importance: low
value.converter.enhanced.avro.schema.support

Enable enhanced schema support to preserve package information and Enums. Applicable for Avro Converters.

  • Type: boolean
  • Importance: low
value.converter.enhanced.protobuf.schema.support

Enable enhanced schema support to preserve package information. Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
value.converter.flatten.unions

Whether to flatten unions (oneofs). Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
value.converter.generate.index.for.unions

Whether to generate an index suffix for unions. Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
value.converter.generate.struct.for.nulls

Whether to generate a struct variable for null values. Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
value.converter.int.for.enums

Whether to represent enums as integers. Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
value.converter.latest.compatibility.strict

Verify latest subject version is backward compatible when use.latest.version is true.

  • Type: boolean
  • Importance: low
value.converter.object.additional.properties

Whether to allow additional properties for object schemas. Applicable for JSON_SR Converters.

  • Type: boolean
  • Importance: low
value.converter.optional.for.nullables

Whether nullable fields should be specified with an optional label. Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
value.converter.optional.for.proto2

Whether proto2 optionals are supported. Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
value.converter.use.latest.version

Use latest version of schema in subject for serialization when auto.register.schemas is false.

  • Type: boolean
  • Importance: low
value.converter.use.optional.for.nonrequired

Whether to set non-required properties to be optional. Applicable for JSON_SR Converters.

  • Type: boolean
  • Importance: low
value.converter.wrapper.for.nullables

Whether nullable fields should use primitive wrapper messages. Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
value.converter.wrapper.for.raw.primitives

Whether a wrapper message should be interpreted as a raw primitive at root level. Applicable for Protobuf Converters.

  • Type: boolean
  • Importance: low
key.converter.key.subject.name.strategy

How to construct the subject name for key schema registration.

  • Type: string
  • Default: TopicNameStrategy
  • Importance: low
value.converter.decimal.format

Specify the JSON/JSON_SR serialization format for Connect DECIMAL logical type values with two allowed literals:

BASE64 to serialize DECIMAL logical types as base64 encoded binary data and

NUMERIC to serialize Connect DECIMAL logical type values in JSON/JSON_SR as a number representing the decimal value.

  • Type: string
  • Default: BASE64
  • Importance: low
value.converter.flatten.singleton.unions

Whether to flatten singleton unions. Applicable for Avro and JSON_SR Converters.

  • Type: boolean
  • Default: false
  • Importance: low
value.converter.reference.subject.name.strategy

Set the subject reference name strategy for value. Valid entries are DefaultReferenceSubjectNameStrategy or QualifiedReferenceSubjectNameStrategy. Note that the subject reference name strategy can be selected only for PROTOBUF format with the default strategy being DefaultReferenceSubjectNameStrategy.

  • Type: string
  • Default: DefaultReferenceSubjectNameStrategy
  • Importance: low
value.converter.value.subject.name.strategy

Determines how to construct the subject name under which the value schema is registered with Schema Registry.

  • Type: string
  • Default: TopicNameStrategy
  • Importance: low

Next Steps

For an example that shows fully-managed Confluent Cloud connectors in action with Confluent Cloud ksqlDB, see the Cloud ETL Demo. This example also shows how to use Confluent CLI to manage your resources in Confluent Cloud.

../_images/topology.png