Feature Request: Splunk Output plugin

[adityacs]

Proposal:

Splunk(Http event collector) Output plugin

Use case

Push telegraf metrics to Splunk.

[adityacs]

I am aware that "file" output plugin can be used to write telegraf metrics to file and then use splunk agent to push metrcis from file. However, as in Elasticsearch output plugin we can directly push metrics to Splunk instead of telegraf to file and then to Splunk.

@danielnelson @sparrc Let me know your views.

[danielnelson]

Sounds like it would be a nice thing to have, though the fact that it is not open source makes it more difficult to test and fix bugs.

If this is something you are planning to work on just keep in mind that it may take some time to be merged into this repo depending on what the perceived demand is.

[adityacs]

@danielnelson Got your point. This is one use case I have at my workplace. If I work on this, will create a PR.

[ayounas]

I am using socket writer at the moment to push data from telegraf into splunk. Splunk is configured to listen on a UDP socket and socket writer pushes data to splunk in json format. Problem is there is no authentication, it will be good to have a plugin which supports output to https with ability to send authorization header.

[poezn]

The Splunk documentation spells out how the data would have to be formatted. But at its simplest, the data could look as follows:

{
  "time": 1486683865.000,
  "event": "metric",
  "host":"host_12345",
  "fields": {
    "_value": 1099511627776,
    "metric_name": "my.metric.name",
    "dim1": "foo",
    "dim2": "bar"
  }
}`

[smallsam]

@ronnocol are you intending to push your splunkHEC output work to the origin? I'd be keen to start using this too.

[ronnocol]

I do, however, since I did it as a work project... the CLA is in legal review. Hopefully we'll get it resolved really soon and I'll be able to put in a pull request.

[kplimack]

@ronnocol have there been any updates?

[vidkun]

I also need this.

[russorat]

how does this relate to #4185 and #4300 ?

[ronnocol]

I've been unable to get final sign-off for the CLA. After reviewing #4185 and #4300, I would recommend #4300. There's very little manipulation of the data, it allows you to use HECs with SSL and private certs (w/o making those certs trusted.) So, if I had a vote, I'd vote for #4300.

[arohter]

#4339 should resolve this, for both File and HEC (http) outputs.

[danielnelson]

We have merged #4339, which is the splunk metrics serializer, (thanks @ronnocol). What "serializer" means in this case is that you will need to use it along with any output that has the data_format option. There are some good examples in the documentation.

I'm going to close this issue, but if anyone is interested on working on it we would also accept a Splunk output that uses the new serializer and whose main purpose is just to wrap everything up into a more turn-key solution.