Home

Awesome

diagnostics-eventflow-splunk

Introduction

Extensions to Microsoft Diagnostics EventFlow to output to Splunk.

Build Status

Build Status NuGet

Outputs

Outputs

Splunk

Nuget Package: Spotsoft.Diagnostics.EventFlow.Outputs.Splunk

This output writes data to a Splunk HTTP Event Collector (HEC). Here is an example showing all possible settings:

{
  "inputs": [
    {
      "type": "Microsoft.Extensions.Logging"
    }
  ],
  "filters": [
  ],
  "outputs": [
    {
      "type": "SplunkOutput",
      "serviceBaseAddress": "https://hec.mysplunkserver.com:8088",
      "authenticationToken": "B5A79AAD-D822-46CC-80D1-819F80D7BFB0",
      "host": "localhost",
      "index": "main",
      "source": "my source",
      "sourceType": "_json",
      "ignoreSslCertificateErrors" : "true",
      "maxRetryAttempts" : "5"
    }
  ],
  "schemaVersion": "2016-08-11",

  "extensions": [
    {
      "category": "outputFactory",
      "type": "SplunkOutput",
      "qualifiedTypeName": "Spotsoft.Diagnostics.EventFlow.Outputs.Splunk.SplunkOutputFactory, Spotsoft.Diagnostics.EventFlow.Outputs.Splunk"
    }
  ]
}
FieldValues/TypesRequiredDescription
type"SplunkOutput"YesSpecifies the output type. For this output, it must be "SplunkOutput".
serviceBaseAddressstringYesBase address for the Splunk HTTP Event Collector (HEC) (excluding the API URI e.g. services/collector/event/1.0).
authenticationTokenstringYesDefines the HEC token as configured in Splunk. This token can be used to configure the default index, source and sourcetype associated with all events which use it.
hoststringNoThe host associated with the events. If left blank this will default to the name of the server which is executing the process using EventFlow.
indexstringNoThe Splunk index where the event will be stored. Leave blank unless you specifically want to override the default index associated with the HEC token.
sourcestringNoThe Splunk source associated with the event. Leave blank unless you specifically want to override the default source associated with the HEC token.
sourcetypestringNoThe Splunk source type associated with the event. Leave blank unless you specifically want to override the default source type associated with the HEC token.
ignoreSslCertificateErrorsbooleanNoWhen set to true can be used against a Splunk HEC with a self-signed SSL certificate (only recommended for testing purposes).
maxRetryAttemptsintegerNoMaximum number of attempts to call the Splunk HEC API if it returns a server error HTTP Status Code (i.e. >= 500). This uses an exponential backoff algorithm.

Splunk Dashboard

The events might end up looking something like this on the Splunk dashboard:

Splunk Dashboard Example