Splunk Source Connector for Confluent Platform

The Splunk Source Connector provides a way to integrate Splunk with Apache Kafka®. The connector receives data from applications that would normally send data to a Splunk HTTP Event Collector (HEC).

The connector has support for [X-Forwarded-For] which allows it to be used behind a load balancer.

Note

The connector does not support receiving data from a Splunk Universal Forwarder or Splunk Heavy Forwarder.

Important

This connector listens on a network port. Running more than one connector task or running in distributed mode can cause undesirable effects if another task already has the port open. It is recommended that you run this connector in Standalone Mode.

Features

At least once delivery

This connector guarantees that records are delivered at least once to the Kafka topic. If the connector restarts, there may be some duplicate records in the Kafka topic.

Prerequisites

The following are required to run the Splunk Source Connector:

  • Kafka Broker: Confluent Platform 3.3.0 or above
  • Connect: Confluent Platform 4.1.0 or above
  • Java 1.8

Install the Splunk Source Connector

You can install this connector by using the Confluent Hub client installation instructions or by manually downloading the ZIP file.

Prerequisites

Note

You must install the connector on every machine where Connect will run.

  • An install of the Confluent Hub Client.

    Note

    This is installed by default with Confluent Enterprise.

  • An install of the latest (latest) connector version.

    To install the latest connector version, navigate to your Confluent Platform installation directory and run the following command:

    confluent-hub install confluentinc/kafka-connect-splunk-source:latest
    

    You can install a specific version by replacing latest with a version number as shown in the following example:

    confluent-hub install confluentinc/kafka-connect-splunk-source:1.0.0-preview
    

Install the connector manually

Download and extract the ZIP file for your connector and then follow the manual connector installation instructions.

License

You can use this connector for a 30-day trial period without a license key.

After 30 days, this connector is available under a Confluent enterprise license. Confluent issues Confluent enterprise license keys to subscribers, along with providing enterprise-level support for Confluent Platform and your connectors. If you are a subscriber, please contact Confluent Support at support@confluent.io for more information.

See Confluent Platform license for license properties and License topic configuration for information about the license topic.

Configuration Properties

For a complete list of configuration properties for this connector, see Splunk Source Connector Configuration Properties.

Note

For an example of how to get Kafka Connect connected to Confluent Cloud, see Distributed Cluster.

Quick Start

This quick start uses the Splunk Source Connector to receive application data ingest it into Kafka.

  1. Install the connector using the Confluent Hub Client.

    # run from your CP installation directory
    confluent-hub install confluentinc/kafka-connect-splunk-source:latest
    
  2. Start the Confluent Platform.

    Tip

    The command syntax for the Confluent CLI development commands changed in 5.3.0. These commands have been moved to confluent local. For example, the syntax for confluent start is now confluent local services start. For more information, see confluent local.

    confluent local services start
    
  3. Create a splunk-source.properties file with the following contents:

    name=splunk-source
    kafka.topic=splunk-source
    tasks.max=1
    connector.class=io.confluent.connect.SplunkHttpSourceConnector
    splunk.collector.index.default=default-index
    splunk.port=8889
    splunk.ssl.key.store.path=/path/to/your/keystore.jks
    splunk.ssl.key.store.password=<keystore password>
    confluent.topic.bootstrap.servers=localhost:9092
    confluent.topic.replication.factor=1
    
  4. Load the Splunk Source Connector.

    confluent local services connect connector load splunk-source --config splunk-source.properties
    

    Important

    Don’t use the Confluent CLI in production environments.

  5. Confirm the connector is in a RUNNING state.

    confluent local services connect connector status splunk-source
    
  6. Simulate an application sending data to the connector.

    curl -k -X POST https://localhost:8889/services/collector/event -d '{"event":"from curl"}'
    
  7. Verify the data was ingested into the Kafka topic.

    kafka-avro-console-consumer --bootstrap-server localhost:9092 --topic splunk-source --from-beginning
    
  8. Shut down Confluent Platform.

    confluent local destroy