Splunk Sink Connector for Confluent Cloud¶
The fully-managed Splunk Sink connector for Confluent Cloud is used to move messages from Apache Kafka® to Splunk using the Splunk HTTP Event Collector (HEC).
Note
- This Quick Start is for the fully-managed Confluent Cloud connector. If you are installing the connector locally for Confluent Platform, see Splunk Sink Connector for Confluent Platform.
- If you require private networking for fully-managed connectors, make sure to set up the proper networking beforehand. For more information, see Manage Networking for Confluent Cloud Connectors.
Features¶
The Splunk Sink connector supports the following features:
- At least once delivery: This connector guarantees that records from the Kafka topic are delivered at least once.
- Supports multiple tasks: The connector supports running one or more tasks. More tasks may improve performance (that is, consumer lag is reduced with multiple tasks running).
For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.
Limitations¶
Be sure to review the following information.
- For connector limitations, see Splunk Sink Connector limitations.
- If you plan to use one or more Single Message Transforms (SMTs), see SMT Limitations.
- If you plan to use Confluent Cloud Schema Registry, see Schema Registry Enabled Environments.
Quick Start¶
Use this quick start to get up and running with the Confluent Cloud Splunk Sink connector. The quick start provides the basics of selecting the connector and configuring it to stream events to Splunk.
- Prerequisites
- Authorized access to a Confluent Cloud cluster on Amazon Web Services (AWS), Microsoft Azure (Azure), or Google Cloud.
- The Confluent CLI installed and configured for the cluster. See Install the Confluent CLI.
- Authorized access to Splunk.
- Schema Registry must be enabled to use a Schema Registry-based format (for example, Avro, JSON_SR (JSON Schema), or Protobuf). See Schema Registry Enabled Environments for additional information.
- At least one source Kafka topic must exist in your Confluent Cloud cluster before creating the sink connector.
Using the Confluent Cloud Console¶
Step 1: Launch your Confluent Cloud cluster¶
See the Quick Start for Confluent Cloud for installation instructions.
Step 2: Add a connector¶
In the left navigation menu, click Connectors. If you already have connectors in your cluster, click + Add connector.
Step 4: Enter the connector details¶
Note
- Make sure you have all your prerequisites completed.
- An asterisk ( * ) designates a required entry.
- Descriptions for optional UI properties are not provided in the following steps. See Configuration Properties for configuration property values and descriptions.
At the Add Splunk Sink Connector screen, complete the following:
If you’ve already populated your Kafka topics, select the topics you want to connect from the Topics list.
To create a new topic, click +Add new topic.
- Select the way you want to provide Kafka Cluster credentials. You can
choose one of the following options:
- My account: This setting allows your connector to globally access everything that you have access to. With a user account, the connector uses an API key and secret to access the Kafka cluster. This option is not recommended for production.
- Service account: This setting limits the access for your connector by using a service account. This option is recommended for production.
- Use an existing API key: This setting allows you to specify an API key and a secret pair. You can use an existing pair or create a new one. This method is not recommended for production environments.
- Click Continue.
- Enter your Splunk HEC URIs-a comma-separated list of FQDNs or IP
addresses for all Splunk indexers, or add a load balancer. For Splunk
indexers, load balancing uses round-robin scheduling. Example:
https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088
. - Enter your Splunk HEC Token-the Splunk HTTP Event Collector token.
- For Splunk HEC SSL Validate Certificates, select
true
orfalse
, whether to enable or disable HTTPS certification validation. - Upload your Splunk HEC SSL Trust Store file, which is the certificate trust store containing the certificates required to validate the SSL connection.
- Enter your Splunk HEC SSL Trust Store Password-the password for the certificate trust store.
- Click Continue.
Note
Configuration properties that are not shown in the Cloud Console use the default values. See Configuration Properties for all property values and definitions.
Select an Input Kafka record value format (data coming from the Kafka topic): AVRO, PROTOBUF, JSON_SR (JSON Schema), JSON (schemaless), or STRING. A valid schema must be available in Schema Registry to use a schema-based message format (for example, Avro, JSON_SR (JSON Schema), or Protobuf). See Schema Registry Enabled Environments for additional information.
Show advanced configurations
Schema context: Select a schema context to use for this connector, if using a schema-based data format. This property defaults to the Default context, which configures the connector to use the default schema set up for Schema Registry in your Confluent Cloud environment. A schema context allows you to use separate schemas (like schema sub-registries) tied to topics in different Kafka clusters that share the same Schema Registry environment. For example, if you select a non-default context, a Source connector uses only that schema context to register a schema and a Sink connector uses only that schema context to read from. For more information about setting up a schema context, see What are schema contexts and when should you use them?.
Splunk Indexes: Splunk index names for Kafka topic data separated by comma for multiple topics to indexers.
Splunk Sourcetypes: Splunk event sourcetype metadata for Kafka topic data.
Splunk Sources: Splunk event source metadata for Kafka topic data.
Splunk HEC Raw: When set to
true
, the connector ingests data using the the/raw
HEC endpoint.Splunk HEC Raw Line Breaker: Only applicable to
/raw
HEC endpoint. The setting is used to specify a custom line breaker to help Splunk separate the events correctly.Splunk HEC JSON Event Enrichment: Only applicable to
/event
HEC endpoint. This setting is used to enrich raw data with extra metadata fields. It contains a list of key value pairs separated by\",\"."
.Splunk HEC Track Data: Only applicable to
/event
HEC endpoint. When set totrue
, data loss and data injection latency metadata will be indexed along with raw data.Splunk HEC HTTP Keep-alive: Enables or disables HTTP connection keep-alive.
Splunk HEC Max HTTP Connections Per Channel: Max HTTP connections pooled for one HEC Channel when posting events to Splunk.
Splunk HEC Total Channels: Total HEC Channels used to post events to Splunk.
Splunk HEC Socket Timeout (s): Max duration in seconds to read or write data to network before internal TCP Socket timeout.
Splunk HEC Use Record Timestamp: When set to
true
, The timestamp is retrieved from the Kafka record and passed to Splunk as a HEC metadata override.Splunk HEC Threads: The number of threads spawned to do data injection via HEC in a single connector task.
Splunk HEC Max Outstanding Events: Maximum amount of unacknowledged events kept in memory by the connector. The connector triggers a back-pressure event to slow collection if unacknowledged events reach the maximum amount.
Splunk HEC Max Retries: Number of retries for failed batches before giving up. By default this is set to -1 which will retry indefinitely.
Splunk HEC Backoff Threshold (s): The amount of time the connector waits on errors sending events to Splunk to attempt resending it.
Splunk HEC JSON Event Formatted: Set to
true
for events that are already in HEC format.Splunk HEC Max Batch Size: Maximum batch size when posting events to Splunk. The size is the actual number of Kafka events not the byte size.
Splunk HEC Load Balancer Poll Interval (s): This setting controls the load balancer polling interval.
Splunk Flush Window (s): The interval in seconds at which the events from Kafka will be flushed to Splunk.
Splunk HEC Ack Enabled: When set to
true
the connector will poll event ACKs for POST events before check-pointing the Kafka offsets. This is used to prevent data loss, as this setting implements guaranteed delivery.Splunk HEC Ack Poll Interval (s): This setting is only applicable when
splunk.hec.ack.enabled
is set totrue
. Internally it controls the event ACKs polling interval.Splunk HEC Ack Poll Threads: This setting is only applicable when
splunk.hec.ack.enabled
is set totrue
. It controls how many threads should be spawned to poll event ACKs.Splunk HEC Event Timeout (s): This setting is only applicable when
splunk.hec.ack.enabled
is set totrue
. When events are POSTed to Splunk and before they are ACKed, this setting determines how long the connector will wait before timing out and resending.Splunk Header Support: When set to
true
the connector will parse Kafka headers for use as metadata in Splunk events.Splunk Header Custom: This setting will look for kafka record headers with these values and add them to each event if present. Custom headers are configured separated by comma for multiple headers.
Splunk Header Index: Header to use for Splunk Header Index.
plunk Header Source: Header to use for Splunk Header Source.
Splunk Header Sourcetype: Header to use for Splunk Header Sourcetype.
Splunk Header Host: Header to use for Splunk Header Host.
For information about transforms and predicates, see the Single Message Transforms (SMT) documentation for details. See Unsupported transformations for a list of SMTs that are not supported with this connector.
See Configuration Properties for all property values and definitions.
Click Continue.
Based on the number of topic partitions you select, you will be provided with a recommended number of tasks.
- To change the number of recommended tasks, enter the number of tasks for the connector to use in the Tasks field.
- Click Continue.
Verify the connection details.
Click Launch.
The status for the connector should go from Provisioning to Running.
Step 5: Check for records¶
Verify that records are being produced at Splunk.
For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.
Tip
When you launch a connector, a Dead Letter Queue topic is automatically created. See View Connector Dead Letter Queue Errors in Confluent Cloud for details.
Using the Confluent CLI¶
To set up and run the connector using the Confluent CLI, complete the following steps.
Note
Make sure you have all your prerequisites completed.
Step 1: List the available connectors¶
Enter the following command to list available connectors:
confluent connect plugin list
Step 2: List the connector configuration properties¶
Enter the following command to show the connector configuration properties:
confluent connect plugin describe <connector-plugin-name>
The command output shows the required and optional configuration properties.
Step 3: Create the connector configuration file¶
Create a JSON file that contains the connector configuration properties. The following example shows the required connector properties.
{
"connector.class": "SplunkSink",
"topics": "orders",
"name": "SplunkSinkConnector_0",
"input.data.format": "AVRO",
"kafka.auth.mode": "KAFKA_API_KEY",
"kafka.api.key": "<my-kafka-api-key>",
"kafka.api.secret": "<my-kafka-api-secret>",
"splunk.hec.uri": "https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088",
"splunk.hec.token": "<token>",
"tasks.max": "1",
}
Note the following property definitions:
"connector.class"
: Identifies the connector plugin name."input.data.format"
: Sets the input Kafka record value format (data coming from the Kafka topic). Valid entries are AVRO, JSON_SR, PROTOBUF, JSON, or STRING. You must have Confluent Cloud Schema Registry configured if using a schema-based message format (for example, Avro, JSON_SR (JSON Schema), or Protobuf)."name"
: Sets a name for your new connector.
"kafka.auth.mode"
: Identifies the connector authentication mode you want to use. There are two options:SERVICE_ACCOUNT
orKAFKA_API_KEY
(the default). To use an API key and secret, specify the configuration propertieskafka.api.key
andkafka.api.secret
, as shown in the example configuration (above). To use a service account, specify the Resource ID in the propertykafka.service.account.id=<service-account-resource-ID>
. To list the available service account resource IDs, use the following command:confluent iam service-account list
For example:
confluent iam service-account list Id | Resource ID | Name | Description +---------+-------------+-------------------+------------------- 123456 | sa-l1r23m | sa-1 | Service account 1 789101 | sa-l4d56p | sa-2 | Service account 2
"splunk.hec.uri"
: Add a comma-separated list of FQDNs or IP addresses for all Splunk indexers, or add a load balancer. For Splunk indexers, load balancing uses round-robin scheduling. Example:https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088
."splunk.hec.token"
: Add the Splunk HTTP Event Collector token."tasks.max"
: Enter the maximum number of tasks for the connector to use. More tasks may improve performance."topics"
: Enter the topic name or a comma-separated list of topic names.
Single Message Transforms: See the Single Message Transforms (SMT) documentation for details about adding SMTs using the CLI.
See Configuration Properties for all property values and descriptions.
Step 3: Load the properties file and create the connector¶
Enter the following command to load the configuration and start the connector:
confluent connect cluster create --config-file <file-name>.json
For example:
confluent connect cluster create --config-file splunk-sink-config.json
Example output:
Created connector SplunkSinkConnector_0 lcc-do6vzd
Step 4: Check the connector status.¶
Enter the following command to check the connector status:
confluent connect cluster list
Example output:
ID | Name | Status | Type | Trace
+------------+---------------------------------+---------+------+-------+
lcc-do6vzd | SplunkSinkConnector_0 | RUNNING | sink | |
Step 5: Check for records¶
Verify that records are populating Splunk.
For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.
Tip
When you launch a connector, a Dead Letter Queue topic is automatically created. See View Connector Dead Letter Queue Errors in Confluent Cloud for details.
Configuration Properties¶
Use the following configuration properties with the fully-managed connector. For self-managed connector property definitions and other details, see the connector docs in Self-managed connectors for Confluent Platform.
Which topics do you want to get data from?¶
topics
Identifies the topic name or a comma-separated list of topic names.
- Type: list
- Importance: high
Schema Config¶
schema.context.name
Add a schema context name. A schema context represents an independent scope in Schema Registry. It is a separate sub-schema tied to topics in different Kafka clusters that share the same Schema Registry instance. If not used, the connector uses the default schema configured for Schema Registry in your Confluent Cloud environment.
- Type: string
- Default: default
- Importance: medium
Input messages¶
input.data.format
Sets the input Kafka record value format. Valid entries are AVRO, JSON, JSON_SR, PROTOBUF, or STRING. Note that you need to have Confluent Cloud Schema Registry configured if using a schema-based message format like AVRO, JSON_SR, and PROTOBUF.
- Type: string
- Importance: high
How should we connect to your data?¶
name
Sets a name for your connector.
- Type: string
- Valid Values: A string at most 64 characters long
- Importance: high
Kafka Cluster credentials¶
kafka.auth.mode
Kafka Authentication mode. It can be one of KAFKA_API_KEY or SERVICE_ACCOUNT. It defaults to KAFKA_API_KEY mode.
- Type: string
- Default: KAFKA_API_KEY
- Valid Values: KAFKA_API_KEY, SERVICE_ACCOUNT
- Importance: high
kafka.api.key
Kafka API Key. Required when kafka.auth.mode==KAFKA_API_KEY.
- Type: password
- Importance: high
kafka.service.account.id
The Service Account that will be used to generate the API keys to communicate with Kafka Cluster.
- Type: string
- Importance: high
kafka.api.secret
Secret associated with Kafka API key. Required when kafka.auth.mode==KAFKA_API_KEY.
- Type: password
- Importance: high
How should we connect to Splunk?¶
splunk.hec.uri
Either a list of FQDNs or IPs of all Splunk indexers, separated with a ‘,’ or a load balancer. The connector will load balance to indexers using round robin. Example: https://hec1.splunk.com:8088,https://hec2.splunk.com:8088,https://hec3.splunk.com:8088.
- Type: string
- Importance: high
splunk.hec.token
Splunk HTTP Event Collector token.
- Type: password
- Importance: high
splunk.hec.ssl.validate.certs
Enables or disables HTTPS certification validation.
- Type: boolean
- Default: true
- Importance: medium
splunk.hec.ssl.trust.store.file
The certificate trust store containing the certificates required to validate the SSL connection.
- Type: password
- Default: [hidden]
- Importance: high
splunk.hec.ssl.trust.store.password
Password for the certificate trust store.
- Type: password
- Importance: high
Metadata configuration¶
splunk.indexes
Splunk index names for Kafka topic data separated by comma for multiple topics to indexers (“prod-index1,prod-index2,prod-index3”).
- Type: string
- Default: default
- Importance: medium
splunk.sourcetypes
Splunk event sourcetype metadata for Kafka topic data.
- Type: string
- Importance: medium
splunk.sources
Splunk event source metadata for Kafka topic data.
- Type: string
- Importance: medium
Endpoint configuration¶
splunk.hec.raw
When set to true, the connector ingests data using the the /raw HEC endpoint.
- Type: boolean
- Default: false
- Importance: medium
splunk.hec.raw.line.breaker
Only applicable to /raw HEC endpoint. The setting is used to specify a custom line breaker to help Splunk separate the events correctly.
- Type: string
- Importance: medium
splunk.hec.json.event.enrichment
Only applicable to /event HEC endpoint. This setting is used to enrich raw data with extra metadata fields. It contains a list of key value pairs separated by “,”.
- Type: string
- Importance: low
splunk.hec.track.data
Only applicable to /event HEC endpoint. When set to true, data loss and data injection latency metadata will be indexed along with raw data.
- Type: boolean
- Default: false
- Importance: low
HEC configuration¶
splunk.hec.http.keepalive
Enables or disables HTTP connection keep-alive.
- Type: boolean
- Default: true
- Importance: medium
splunk.hec.max.http.connection.per.channel
Max HTTP connections pooled for one HEC Channel when posting events to Splunk.
- Type: int
- Default: 2
- Importance: medium
splunk.hec.total.channels
Total HEC Channels used to post events to Splunk.
- Type: int
- Default: 2
- Importance: high
splunk.hec.socket.timeout
Max duration in seconds to read / write data to network before internal TCP Socket timeout.
- Type: int
- Default: 10
- Importance: low
splunk.hec.use.record.timestamp
When set to true, The timestamp is retrieved from the Kafka record and passed to Splunk as a HEC metadata override.
- Type: boolean
- Default: true
- Importance: medium
splunk.hec.threads
The number of threads spawned to do data injection via HEC in a single connector task.
- Type: int
- Default: 1
- Valid Values: [1,…,10]
- Importance: low
splunk.hec.max.outstanding.events
Maximum amount of unacknowledged events kept in memory by connector. Will trigger back-pressure event to slow collection.
- Type: int
- Default: 10000
- Valid Values: [10000,…,100000]
- Importance: medium
splunk.hec.max.retries
Number of retries for failed batches before giving up. By default this is set to -1 which will retry indefinitely.
- Type: int
- Default: -1
- Importance: medium
splunk.hec.backoff.threshhold.seconds
The amount of time the connector waits on errors sending events to Splunk to attempt resending it.
- Type: int
- Default: 60
- Importance: medium
splunk.hec.json.event.formatted
Set to true for events that are already in HEC format.
- Type: boolean
- Default: false
- Importance: low
splunk.hec.max.batch.size
Maximum batch size when posting events to Splunk. The size is the actual number of Kafka events not the byte size.
- Type: int
- Default: 500
- Importance: medium
splunk.hec.lb.poll.interval
This setting controls the load balancer polling interval.
- Type: int
- Default: 120
- Importance: low
splunk.flush.window
The interval in seconds at which the events from kafka will be flushed to Splunk.
- Type: int
- Default: 30
- Importance: low
Acknowledgement configuration¶
splunk.hec.ack.enabled
When set to true the connector will poll event ACKs for POST events before check-pointing the Kafka offsets. This is used to prevent data loss, as this setting implements guaranteed delivery.
- Type: boolean
- Default: false
- Importance: medium
splunk.hec.ack.poll.interval
This setting is only applicable when splunk.hec.ack.enabled is set to true. Internally it controls the event ACKs polling interval.
- Type: int
- Default: 10
- Importance: medium
splunk.hec.ack.poll.threads
This setting is only applicable when splunk.hec.ack.enabled is set to true. It controls how many threads should be spawned to poll event ACKs.
- Type: int
- Default: 1
- Valid Values: [1,…,10]
- Importance: medium
splunk.hec.event.timeout
This setting is only applicable when splunk.hec.ack.enabled is set to true. When events are POSTed to Splunk and before they are ACKed, this setting determines how long the connector will wait before timing out and resending.
- Type: int
- Default: 300
- Importance: medium
Headers configuration¶
splunk.header.support
When set to true the connector will parse Kafka headers for use as metadata in Splunk events.
- Type: boolean
- Default: false
- Importance: medium
splunk.header.custom
This setting will look for kafka record headers with these values and add them to each event if present. Custom headers are configured separated by comma for multiple headers. Example: “custom_header_1,custom_header_2,custom_header_3”.
- Type: string
- Importance: medium
splunk.header.index
Header to use for Splunk Header Index
- Type: string
- Default: splunk.header.index
- Importance: medium
splunk.header.source
Header to use for Splunk Header Source
- Type: string
- Default: splunk.header.source
- Importance: medium
splunk.header.sourcetype
Header to use for Splunk Header Sourcetype
- Type: string
- Default: splunk.header.sourcetype
- Importance: medium
splunk.header.host
Header to use for Splunk Header Host
- Type: string
- Default: splunk.header.host
- Importance: medium
Consumer configuration¶
max.poll.interval.ms
The maximum delay between subsequent consume requests to Kafka. This configuration property may be used to improve the performance of the connector, if the connector cannot send records to the sink system. Defaults to 300000 milliseconds (5 minutes).
- Type: long
- Default: 300000 (5 minutes)
- Valid Values: [60000,…,1800000] for non-dedicated clusters and [60000,…] for dedicated clusters
- Importance: low
max.poll.records
The maximum number of records to consume from Kafka in a single request. This configuration property may be used to improve the performance of the connector, if the connector cannot send records to the sink system. Defaults to 500 records.
- Type: long
- Default: 500
- Valid Values: [1,…,500] for non-dedicated clusters and [1,…] for dedicated clusters
- Importance: low
Number of tasks for this connector¶
tasks.max
Maximum number of tasks for the connector.
- Type: int
- Valid Values: [1,…]
- Importance: high
Next Steps¶
For an example that shows fully-managed Confluent Cloud connectors in action with Confluent Cloud ksqlDB, see the Cloud ETL Demo. This example also shows how to use Confluent CLI to manage your resources in Confluent Cloud.