The Splunk Event Collector microservice sends application events to a Splunk deployment using HTTP or HTTPS (Secure HTTP) protocols. It generates tokens for Authentication enabling the HTTP client to send data to the SplunkEventCollector in a specific format, thereby eliminating an intermediate microservice to send application events.
Configuration and Testing
Component Configurations
The following attributes can be configured in the Component Configuration panel as shown below.
Figure 1: Component Configuration properties
Process Message Based on Property
The property helps components to skip certain messages from processing.
Validate Input
If this attribute is enabled, the service tries to validate the input received. If disabled, service will not validate the input. For more details, refer Validate Input section under Interaction Configurations in Common Configurations page.
Error handling configuration
The remedial actions to be taken when a particular error occurs can be configured using this attribute.
Click the ellipsis button against this property to configure Error Handling properties for different types of Errors. By default, the options Log to error logs, Stop service and Send to error port are enabled.
Refer the Error Handling section in Common Configurations for detailed information.
Connection Configuration
Figure 2: Connection Configuration
Host name
The name or address of the machine on which Splunk server runs.
Port
The port on which the above server runs.
Event Configuration
Click the Event Configuration ellipsis button to provide Event Configuration values.
Figure 3: Event Configuration
Add Metadata
This returns a list of source, source types, or hosts from a specified index or distributed search peer.
Enable this option to configure the following properties that appear.
Index
This identifies the index in which the event is located.
Source
The source of an event is the name of the file, stream, or other input from which the event originates.
Source Type
The source type of an event is the format of the data input from which it originates.
The source type determines how your data is to be formatted.
Host
An event host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated.
HTTP Authorization Token
The Event Collector Token.
Creating an HTTP Token
Channel Identifier
To send all events received by the component as raw events.
Batch Events
Send request in batched events.
Batch Size
Number of events in a batch.
SSL Configurations
Click the SSL Configurations ellipsis button to launch the editor to set SSL configurations.
Refer the SSL Security section for more information.
Threadpool Configuration
This property is used when there is a need to process messages in parallel within the component, still maintaining the sequence from the external perspective.
Click the Threadpool Configuration ellipsis button to configure the Threadpool Configuration properties.
Figure 4: Threadpool Configuration
Enable Thread Pool
Enable this option to configure the properties that appear as below.
Pool Size
Number of requests to be processed in parallel within the component. Default value is '1'.
Batch Eviction Interval (in ms)
Time in milliseconds after which the threads are evicted in case of inactivity. New threads are created in place of evicted threads when new requests are received. Default value is '1000'.
Functional Demonstration
Sending the application event to the SplunkEventCollector microservice. Configure SplunkEventCollector as described in Configuration and testing section above and use the Feeder microservice and Display microservice to send a sample input and check the response respectively.
Figure 5: Demonstrating a scenario with sample input and output
Input Message
Figure 6: Input message sent using feeder for S3Upload
Output Message
Figure 7: Output demonstrating the success