Create a sink connector from Apache Kafka® to Splunk#
The Splunk sink connector enables you to move data from an Aiven for Apache Kafka® cluster to a remote Splunk server via HTTP event collector (HEC).
Note
You can check the full set of available parameters and configuration options in the connector’s documentation.
Prerequisites#
To setup an Splunk sink connector, you need an Aiven for Apache Kafka service with Kafka Connect enabled or a dedicated Aiven for Apache Kafka Connect cluster.
Furthermore you need to collect the following information about the target server:
SPLUNK_HEC_TOKEN
: The HEC authentication tokenSPLUNK_HEC_URI
: The Splunk endpoint URITOPIC_LIST
: The list of topics to sink divided by commaSPLUNK_INDEXES
: The list of Splunk indexes where the data will be landing
and, if you are using Avro as the data format:
APACHE_KAFKA_HOST
: The hostname of the Apache Kafka serviceSCHEMA_REGISTRY_PORT
: The Apache Kafka’s schema registry portSCHEMA_REGISTRY_USER
: The Apache Kafka’s schema registry usernameSCHEMA_REGISTRY_PASSWORD
: The Apache Kafka’s schema registry user password
Note
You can browse the additional parameters available for the static
and oauth2
authorization types in the dedicated documentation.
Setup an Splunk sink connector with Aiven Console#
The following example demonstrates how to setup an Splunk sink connector for Apache Kafka using the Aiven Console.
Define a Kafka Connect configuration file#
Create a file (we’ll refer to this one as splunk_sink.json
) to hold the connector configuration. As an example, here’s some configuration for sending JSON payloads to Splunk:
{
"name":"CONNECTOR_NAME",
"connector.class": "com.splunk.kafka.connect.SplunkSinkConnector",
"splunk.hec.token": "SPLUNK_HEC_TOKEN",
"splunk.hec.uri": "SPLUNK_HEC_URI",
"splunk.indexes": "SPLUNK_INDEXES",
"topics": "TOPIC_LIST",
"splunk.hec.raw" : false,
"splunk.hec.ack.enabled" : false,
"splunk.hec.ssl.validate.certs": "true",
"config.splunk.hec.json.event.formatted": false,
"tasks.max":1
}
The configuration file contains the following entries:
name
: the connector namesplunk.hec.token
andsplunk.hec.uri
: remote Splunk server URI and authorization parameters collected in the prerequisite phase.splunk.hec.raw
: if set tofalse
defines the data ingestion using the/raw
HEC endpoint instead of the default/event
one.splunk.hec.ack.enabled
: if set totrue
, Kafka offset is updated only after receiving the ACK for the POST call to Splunk.config.splunk.hec.json.event.formatted
: Defines if events are preformatted into the proper HEC JSON format.
Tip
When using Splunk with self service SSL certificates it could be useful to set splunk.hec.ssl.validate.certs
to false
to disable HTTPS certification validation.
Create a Kafka Connect connector with the Aiven Console#
To create a Apache Kafka Connect connector, follow these steps:
Log in to the Aiven Console and select the Aiven for Apache Kafka® or Aiven for Apache Kafka Connect® service where the connector needs to be defined.
Select Connectors from the left sidebar.
Select Create New Connector, the button is enabled only for services with Kafka Connect enabled.
Select Splunk sink.
In the Common tab, locate the Connector configuration text box and select on Edit.
Paste the connector configuration (stored in the
splunk_sink.json
file) in the form.Select Apply.
Note
The Aiven Console parses the configuration file and fills the relevant UI fields. You can review the UI fields across the various tabs and change them if necessary. The changes will be reflected in JSON format in the Connector configuration text box.
After all the settings are correctly configured, select Create connector.
Verify the connector status under the Connectors screen.
Verify the data in the target Splunk instance.
Note
You can also create connectors using the Aiven CLI command.
Example: Create a simple Splunk sink connector#
If you have a topic named data_logs
that you want to sink to a Splunk server in the kafka_logs
index:
{
"name":"data_logs_splunk_sink",
"connector.class": "com.splunk.kafka.connect.SplunkSinkConnector",
"splunk.hec.token": "SPLUNK_HEC_TOKEN",
"splunk.hec.uri": "SPLUNK_HEC_URI",
"splunk.indexes": "kafka_logs",
"topics": "data_logs"
}
The configuration file contains the following things to note:
"topics": "data_logs"
: setting the topic to sink