splunk-hec-logging
#
Summary#
NameThe splunk-hec-logging
plugin is used to forward the request log of Apache APISIX
to Splunk HTTP Event Collector (HEC)
for analysis and storage. After the plugin is enabled, Apache APISIX
will obtain request context information in Log Phase
serialize it into Splunk Event Data format and submit it to the batch queue. When the maximum processing capacity of each batch of the batch processing queue or the maximum time to refresh the buffer is triggered, the data in the queue will be submitted to Splunk HEC
.
For more info on Batch-Processor in Apache APISIX please refer to: Batch-Processor
#
AttributesName | Requirement | Default | Description |
---|---|---|---|
endpoint | required | Splunk HEC endpoint configuration info | |
endpoint.uri | required | Splunk HEC event collector API | |
endpoint.token | required | Splunk HEC authentication token | |
endpoint.channel | optional | Splunk HEC send data channel identifier, refer to: About HTTP Event Collector Indexer Acknowledgment | |
endpoint.timeout | optional | 10 | Splunk HEC send data timeout, time unit: (seconds) |
ssl_verify | optional | true | enable SSL verification, option as per OpenResty docs |
max_retry_count | optional | 0 | max number of retries before removing from the processing pipe line |
retry_delay | optional | 1 | number of seconds the process execution should be delayed if the execution fails |
buffer_duration | optional | 60 | max age in seconds of the oldest entry in a batch before the batch must be processed |
inactive_timeout | optional | 5 | max age in seconds when the buffer will be flushed if inactive |
batch_max_size | optional | 1000 | max size of each batch |
#
How To EnableThe following is an example of how to enable the splunk-hec-logging
for a specific route.
#
Full configurationcurl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"plugins":{
"splunk-hec-logging":{
"endpoint":{
"uri":"http://127.0.0.1:8088/services/collector",
"token":"BD274822-96AA-4DA6-90EC-18940FB2414C",
"channel":"FE0ECFAD-13D5-401B-847D-77833BD77131",
"timeout":60
},
"buffer_duration":60,
"max_retry_count":0,
"retry_delay":1,
"inactive_timeout":2,
"batch_max_size":10
}
},
"upstream":{
"type":"roundrobin",
"nodes":{
"127.0.0.1:1980":1
}
},
"uri":"/splunk.do"
}'
#
Minimize configurationcurl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"plugins":{
"splunk-hec-logging":{
"endpoint":{
"uri":"http://127.0.0.1:8088/services/collector",
"token":"BD274822-96AA-4DA6-90EC-18940FB2414C"
}
}
},
"upstream":{
"type":"roundrobin",
"nodes":{
"127.0.0.1:1980":1
}
},
"uri":"/splunk.do"
}'
#
Test Plugin- Send request to route configured with the
splunk-hec-logging
plugin
$ curl -i http://127.0.0.1:9080/splunk.do?q=hello
HTTP/1.1 200 OK
...
hello, world
- Login to Splunk Dashboard to search and view
#
Disable PluginDisabling the splunk-hec-logging
plugin is very simple, just remove the JSON
configuration corresponding to splunk-hec-logging
.
$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/hello",
"plugins": {},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}'