Академический Документы
Профессиональный Документы
Культура Документы
Legal
NoGces
During
the
course
of
this
presentaGon,
we
may
make
forward-looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
cauGon
you
that
such
statements
reect
our
current
expectaGons
and
esGmates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
dier
materially.
For
important
factors
that
may
cause
actual
results
to
dier
from
those
contained
in
our
forward-
looking
statements,
please
review
our
lings
with
the
SEC.
The
forward-looking
statements
made
in
this
presentaGon
are
being
made
as
of
the
Gme
and
date
of
its
live
presentaGon.
If
reviewed
aSer
its
live
presentaGon,
this
presentaGon
may
not
contain
current
or
accurate
informaGon.
We
do
not
assume
any
obligaGon
to
update
any
forward-looking
statements
we
may
make.
In
addiGon,
any
informaGon
about
our
roadmap
outlines
our
general
product
direcGon
and
is
subject
to
change
at
any
Gme
without
noGce.
It
is
for
informaGonal
purposes
only
and
shall
not,
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obligaGon
either
to
develop
the
features
or
funcGonality
described
or
to
include
any
such
feature
or
funcGonality
in
a
future
release.
Splunk,
Splunk>,
Splunk
Storm,
Listen
to
Your
Data,
SPL
and
The
Engine
for
Machine
Data
are
trademarks
and
registered
trademarks
of
Splunk
Inc.
in
the
United
States
and
other
countries.
All
other
brand
names,
product
names,
or
trademarks
belong
to
their
respecCve
owners.
2013
Splunk
Inc.
All
rights
reserved.
Who
am
I?
!
!
Igor
Stojanovski
I
have
worked
on:
Windows
port
Data
inputs
Indexer
Search
commands
Clustering
Modular
Inputs
AGENDA
!
!
!
!
Amazon
S3
input
!
QuesGons
Inputs
in
Splunk
!
_TCP_ROUTING = *
index = _internal
sourcetype = splunk_version
!
Managed by endpoints
Scripted
Inputs
!
[script://./bin/my_script.sh]
!
UNIX
app
!
No
conguraGon
support
Data
processing
issues
Event boundaries
CreaGng a UI is hard
CRUD
acGons
Support
for
senng
source/sourcetype/host/index
Support
of
enable/disable
acGons
!
Can
be
customized
!
s3://bucket-name/dir/le.txt
!
11
Goal is to have this inputs feel blends with the other inputs
12
Sample inputs.conf:
[s3://bucket2/http_logs/access.log]
key_id = AKQWERRQWWAG5J2Y6HGA
secret_key = 0UrnXj2D6YvDio/xwvoCrikEjCKbXV8V5casdfQ6
index = test1
sourcetype = access_combined
disabled = true
13
$SPLUNK_HOME/etc/apps/s3/README/inputs.conf.spec
$SPLUNK_HOME/etc/apps/s3/bin/s3.py
14
LocaGng
a
Script
!
$SPLUNK_HOME/etc/apps/s3/bin/s3.py
!
15
IntrospecGon
$SPLUNK_HOME/etc/apps/s3/bin/s3.py --scheme
$SPLUNK_HOME/etc/apps/s3/bin/s3.py
$SPLUNK_HOME/etc/apps/s3/bin/s3.py --validate-arguments
16
$SPLUNK_HOME/etc/apps/s3/bin/s3.py --scheme
!
$SPLUNK_HOME/etc/apps/s3/bin/s3.py
17
[s3://<name>]
key_id
=
<value>
*
This
is
Amazon
key
ID.
secret_key
=
<value>
*
This
is
the
secret
key.
18
Lets
see
it
20
When
run
with
--scheme,
the
script
can
return
an
XML
document
Adds
descripGve
text
for
the
UI
Allows
declaraGon
on
whether
endpoint
arguments
are
required
Data
input
mode
(simple
or
xml)
21
<validaGon>
is_port('port_num')
</validaGon>
<validaGon>
validate(is_pos_int('param1')
AND
'param1'
>
100,
"param1
must
be
>
100.")
</validaGon>
22
23
More helpful UI
25
26
[s3://splunk-2/access.common.log]
key_id = AKIAJIYU5KG35WTX5G6Q
secret_key = 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
27
Key
for
accessing
endpoints
$
splunkd
print-modinput-cong
s3
s3://splunk-2/access.common.log
saving state
<input>
<session_key>b2bf1835dea8782e29e6b8ca33b42ea7</session_key>
<checkpoint_dir>/opt/splunk/var/lib/splunk/modinputs/s3</checkpoint_dir>
<congura@on>
<stanza
name="s3://splunk-2/access.common.log">
Run@me
congura@on
<param
name="host">Gny</param>
<param
name="index">default</param>
<param
name="key_id">AKIAJIYU5KG35WTX5G6Q</param>
<param
name="secret_key">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</param>
</stanza>
</congura@on></input>
28
29
Sending
Data
!
!
<streaming_mode>xml</streaming_mode>
30
31
32
Logging
!
Search
Splunk
for
messages
in
splunkd.log:
35
ConguraGon
Layering
etc/system/local/inputs.conf
[default]
x
=
y
host
=
myhost
index
=
default
etc/apps/search/local/inputs.conf
[monitor:///data/dir/]
sourcetype
=
access_combined
36
ConguraGon
Layering
etc/system/local/inputs.conf
[default]
x
=
y
host
=
myhost
index
=
default
etc/apps/app1/default/inputs.conf
[s3]
key_id
=
AKQWERRQWWAG5J2Y6HGA
etc/apps/search/local/inputs.conf
[s3://data-bucket/]
secret_key
=
CrikEjCKbXV8V5casdfQ6
37
38
Saving
State
!
!
!
40
Input
Status
!
hips://localhost:8089/services/admin/inputstatus
41
Script path
Start
and
stop
@me
Total
bytes
sent
Cong
stanza
that
it
serves
42
43
44
<scheme>
<title>Foobar monitoring</title>
<use_single_instance>true</use_single_instance>
[...]
45
Summary
!
!
!
!
47
Where
Next?
!
!
DocumentaGon
hip://docs.splunk.com/DocumentaGon/Splunk/latest/AdvancedDev/ModInputsIntro
S3
Twiier
HDFS
le
monitor,
part
of
the
Splunk
Hadoop
Connect
app
Windows
Inputs
(starGng
with
6.0):
perfmon,
WinEventLog,
WinRegMon
48
THANK YOU