Skip to content

Extensions to Microsoft Diagnostics EventFlow to output to Splunk

License

Notifications You must be signed in to change notification settings

hortha/diagnostics-eventflow-splunk

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

diagnostics-eventflow-splunk

Introduction

Extensions to Microsoft Diagnostics EventFlow to output to Splunk.

Build Status

Build Status NuGet

Outputs

Outputs

Splunk

Nuget Package: Spotsoft.Diagnostics.EventFlow.Outputs.Splunk

This output writes data to a Splunk HTTP Event Collector (HEC). Here is an example showing all possible settings:

{
  "inputs": [
    {
      "type": "Microsoft.Extensions.Logging"
    }
  ],
  "filters": [
  ],
  "outputs": [
    {
      "type": "SplunkOutput",
      "serviceBaseAddress": "https://hec.mysplunkserver.com:8088",
      "authenticationToken": "B5A79AAD-D822-46CC-80D1-819F80D7BFB0",
      "host": "localhost",
      "index": "main",
      "source": "my source",
      "sourceType": "_json",
      "ignoreSslCertificateErrors" : "true",
      "maxRetryAttempts" : "5"
    }
  ],
  "schemaVersion": "2016-08-11",

  "extensions": [
    {
      "category": "outputFactory",
      "type": "SplunkOutput",
      "qualifiedTypeName": "Spotsoft.Diagnostics.EventFlow.Outputs.Splunk.SplunkOutputFactory, Spotsoft.Diagnostics.EventFlow.Outputs.Splunk"
    }
  ]
}
Field Values/Types Required Description
type "SplunkOutput" Yes Specifies the output type. For this output, it must be "SplunkOutput".
serviceBaseAddress string Yes Base address for the Splunk HTTP Event Collector (HEC) (excluding the API URI e.g. services/collector/event/1.0).
authenticationToken string Yes Defines the HEC token as configured in Splunk. This token can be used to configure the default index, source and sourcetype associated with all events which use it.
host string No The host associated with the events. If left blank this will default to the name of the server which is executing the process using EventFlow.
index string No The Splunk index where the event will be stored. Leave blank unless you specifically want to override the default index associated with the HEC token.
source string No The Splunk source associated with the event. Leave blank unless you specifically want to override the default source associated with the HEC token.
sourcetype string No The Splunk source type associated with the event. Leave blank unless you specifically want to override the default source type associated with the HEC token.
ignoreSslCertificateErrors boolean No When set to true can be used against a Splunk HEC with a self-signed SSL certificate (only recommended for testing purposes).
maxRetryAttempts integer No Maximum number of attempts to call the Splunk HEC API if it returns a server error HTTP Status Code (i.e. >= 500). This uses an exponential backoff algorithm.

Splunk Dashboard

The events might end up looking something like this on the Splunk dashboard:

Splunk Dashboard Example

About

Extensions to Microsoft Diagnostics EventFlow to output to Splunk

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages