title | keywords | description | ||||
---|---|---|---|---|---|---|
splunk-hec-logging |
|
This document contains information about the Apache APISIX splunk-hec-logging Plugin. |
The splunk-hec-logging
Plugin is used to forward logs to Splunk HTTP Event Collector (HEC) for analysis and storage.
When the Plugin is enabled, APISIX will serialize the request context information to Splunk Event Data format and submit it to the batch queue. When the maximum batch size is exceeded, the data in the queue is pushed to Splunk HEC. See batch processor for more details.
Name | Required | Default | Description |
---|---|---|---|
endpoint | True | Splunk HEC endpoint configurations. | |
endpoint.uri | True | Splunk HEC event collector API endpoint. | |
endpoint.token | True | Splunk HEC authentication token. | |
endpoint.channel | False | Splunk HEC send data channel identifier. Read more: About HTTP Event Collector Indexer Acknowledgment. | |
endpoint.timeout | False | 10 | Splunk HEC send data timeout in seconds. |
ssl_verify | False | true | When set to true enables SSL verification as per OpenResty docs. |
This Plugin supports using batch processors to aggregate and process entries (logs/data) in a batch. This avoids the need for frequently submitting the data. The batch processor submits data every 5
seconds or when the data in the queue reaches 1000
. See Batch Processor for more information or setting your custom configuration.
The example below shows a complete configuration of the Plugin on a specific Route:
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"plugins":{
"splunk-hec-logging":{
"endpoint":{
"uri":"http://127.0.0.1:8088/services/collector",
"token":"BD274822-96AA-4DA6-90EC-18940FB2414C",
"channel":"FE0ECFAD-13D5-401B-847D-77833BD77131",
"timeout":60
},
"buffer_duration":60,
"max_retry_count":0,
"retry_delay":1,
"inactive_timeout":2,
"batch_max_size":10
}
},
"upstream":{
"type":"roundrobin",
"nodes":{
"127.0.0.1:1980":1
}
},
"uri":"/splunk.do"
}'
The example below shows a bare minimum configuration of the Plugin on a Route:
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"plugins":{
"splunk-hec-logging":{
"endpoint":{
"uri":"http://127.0.0.1:8088/services/collector",
"token":"BD274822-96AA-4DA6-90EC-18940FB2414C"
}
}
},
"upstream":{
"type":"roundrobin",
"nodes":{
"127.0.0.1:1980":1
}
},
"uri":"/splunk.do"
}'
Once you have configured the Route to use the Plugin, when you make a request to APISIX, it will be logged in your Splunk server:
curl -i http://127.0.0.1:9080/splunk.do?q=hello
You should be able to login and search these logs from your Splunk dashboard:
To disable the splunk-hec-logging
Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/hello",
"plugins": {},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}'