Extensions to Microsoft Diagnostics EventFlow to output to Splunk.
Outputs
Nuget Package: Spotsoft.Diagnostics.EventFlow.Outputs.Splunk
This output writes data to a Splunk HTTP Event Collector (HEC). Here is an example showing all possible settings:
{
"inputs": [
{
"type": "Microsoft.Extensions.Logging"
}
],
"filters": [
],
"outputs": [
{
"type": "SplunkOutput",
"serviceBaseAddress": "https://hec.mysplunkserver.com:8088",
"authenticationToken": "B5A79AAD-D822-46CC-80D1-819F80D7BFB0",
"host": "localhost",
"index": "main",
"source": "my source",
"sourceType": "_json",
"ignoreSslCertificateErrors" : "true",
"maxRetryAttempts" : "5"
}
],
"schemaVersion": "2016-08-11",
"extensions": [
{
"category": "outputFactory",
"type": "SplunkOutput",
"qualifiedTypeName": "Spotsoft.Diagnostics.EventFlow.Outputs.Splunk.SplunkOutputFactory, Spotsoft.Diagnostics.EventFlow.Outputs.Splunk"
}
]
}
Field | Values/Types | Required | Description |
---|---|---|---|
type |
"SplunkOutput" | Yes | Specifies the output type. For this output, it must be "SplunkOutput". |
serviceBaseAddress |
string | Yes | Base address for the Splunk HTTP Event Collector (HEC) (excluding the API URI e.g. services/collector/event/1.0). |
authenticationToken |
string | Yes | Defines the HEC token as configured in Splunk. This token can be used to configure the default index, source and sourcetype associated with all events which use it. |
host |
string | No | The host associated with the events. If left blank this will default to the name of the server which is executing the process using EventFlow. |
index |
string | No | The Splunk index where the event will be stored. Leave blank unless you specifically want to override the default index associated with the HEC token. |
source |
string | No | The Splunk source associated with the event. Leave blank unless you specifically want to override the default source associated with the HEC token. |
sourcetype |
string | No | The Splunk source type associated with the event. Leave blank unless you specifically want to override the default source type associated with the HEC token. |
ignoreSslCertificateErrors |
boolean | No | When set to true can be used against a Splunk HEC with a self-signed SSL certificate (only recommended for testing purposes). |
maxRetryAttempts |
integer | No | Maximum number of attempts to call the Splunk HEC API if it returns a server error HTTP Status Code (i.e. >= 500). This uses an exponential backoff algorithm. |
The events might end up looking something like this on the Splunk dashboard: