Skip to content

Latest commit

 

History

History
136 lines (114 loc) · 6.04 KB

splunk-hec-logging.md

File metadata and controls

136 lines (114 loc) · 6.04 KB
title keywords description
splunk-hec-logging
APISIX
Plugin
Splunk HTTP Event Collector
splunk-hec-logging
This document contains information about the Apache APISIX splunk-hec-logging Plugin.

Description

The splunk-hec-logging Plugin is used to forward logs to Splunk HTTP Event Collector (HEC) for analysis and storage.

When the Plugin is enabled, APISIX will serialize the request context information to Splunk Event Data format and submit it to the batch queue. When the maximum batch size is exceeded, the data in the queue is pushed to Splunk HEC. See batch processor for more details.

Attributes

Name Required Default Description
endpoint True Splunk HEC endpoint configurations.
endpoint.uri True Splunk HEC event collector API endpoint.
endpoint.token True Splunk HEC authentication token.
endpoint.channel False Splunk HEC send data channel identifier. Read more: About HTTP Event Collector Indexer Acknowledgment.
endpoint.timeout False 10 Splunk HEC send data timeout in seconds.
ssl_verify False true When set to true enables SSL verification as per OpenResty docs.

This Plugin supports using batch processors to aggregate and process entries (logs/data) in a batch. This avoids the need for frequently submitting the data. The batch processor submits data every 5 seconds or when the data in the queue reaches 1000. See Batch Processor for more information or setting your custom configuration.

Enabling the Plugin

Full configuration

The example below shows a complete configuration of the Plugin on a specific Route:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "plugins":{
        "splunk-hec-logging":{
            "endpoint":{
                "uri":"http://127.0.0.1:8088/services/collector",
                "token":"BD274822-96AA-4DA6-90EC-18940FB2414C",
                "channel":"FE0ECFAD-13D5-401B-847D-77833BD77131",
                "timeout":60
            },
            "buffer_duration":60,
            "max_retry_count":0,
            "retry_delay":1,
            "inactive_timeout":2,
            "batch_max_size":10
        }
    },
    "upstream":{
        "type":"roundrobin",
        "nodes":{
            "127.0.0.1:1980":1
        }
    },
    "uri":"/splunk.do"
}'

Minimal configuration

The example below shows a bare minimum configuration of the Plugin on a Route:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "plugins":{
        "splunk-hec-logging":{
            "endpoint":{
                "uri":"http://127.0.0.1:8088/services/collector",
                "token":"BD274822-96AA-4DA6-90EC-18940FB2414C"
            }
        }
    },
    "upstream":{
        "type":"roundrobin",
        "nodes":{
            "127.0.0.1:1980":1
        }
    },
    "uri":"/splunk.do"
}'

Example usage

Once you have configured the Route to use the Plugin, when you make a request to APISIX, it will be logged in your Splunk server:

curl -i http://127.0.0.1:9080/splunk.do?q=hello

You should be able to login and search these logs from your Splunk dashboard:

splunk hec search view

Disable Plugin

To disable the splunk-hec-logging Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/hello",
    "plugins": {},
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    }
}'