You are viewing content for 4.9 | 4.8 | 4.7 | 4.6 | 4.5 | 4.4 | 4.3 | Previous Releases


Connectors → Splunk

About Splunk

Splunk is a software product that captures, indexes, and correlates real-time, machine-generated data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. Currently, the Splunk connector extracts data represented as Splunk reports.

Splunk Connector

The Incorta Splunk connector uses the Splunk Software Development Kit (SDK) for Java, which is built as a layer on top of the Splunk REST API. Version 1.0 of the connector supports Splunk reports. The Splunk connector creates a search job to retrieve the list of reports created in the system. When a report is selected during schema design, the Splunk Connector creates another search job to retrieve the fields of that report. Splunk retrieves the fields by discovering them from the last loaded job of the report, a mechanism that works for both scheduled and unscheduled reports.

The Splunk connector supports the following Incorta specific functionality:

Feature Supported
Incremental loading
Encryption at ingest
Performance Optimization
Webhook Callbacks

Deployment Steps

IMPORTANT

Deployment of the Splunk connector requires a restart of the entire Incorta cluster, including the CMC, analytics and loader services.

The Splunk connector is an external connector, which means you deploy it as a plugin to the Incorta platform upgrade it separately from upgrading the Incorta platform itself.

Here are the steps to deploy incorta.connector.splunk.jar to the extensions directory:

  • Download the Splunk JAR file from the latest version of your Incorta customer release distribution (incorta.connector.splunk.jar)
  • Create the splunk directory in {path to IncortaNode}/extensions/connectors: $ mkdir {path to IncortaNode}/extensions/connectors/splunk
  • Copy the Splunk connector JAR file to {path to IncortaNode}/extensions/connectors/splunk
  • Create the splunk directory in {path to cmc}/extensions/connectors: $ mkdir {path to cmc}/extensions/connectors/splunk
  • Copy the Splunk connector JAR file to {path to cmc}/extensions/connectors/splunk
  • Restart the entire Incorta cluster (CMC, analytics and loader services)

Steps to connect Splunk and Incorta

To connect Splunk and Incorta, here are the high level steps, tools, and procedures:

Create an external data source

Here are the steps to create a external data source with the Splunk connector:

  • Sign in to the Incorta Unified Data Analytics Platform (UDAP).
  • In the Navigation bar, select Data.
  • In the Action bar, select + NewAdd Data.
  • In the Choose a Data Source dialog, in Application, select Splunk.
  • In the New Data Source dialog, specify the applicable connector properties.
  • To test, select Test Connection.
  • Select Ok to save your changes.

Splunk connector properties

Here are the properties for the Splunk connector:

Property Control Description
Data Source Name text box Enter the name of the data source
Authentication Method drop down list Options are:
  • Using Splunk Username and Password
  • Using AppleConnect
  • Username text box Splunk Username and Password authentication only
    Password text box Splunk Username and Password authentication only
    IdMS Account Name text box Splunk AppleConnect authentication only
    IdMS Account Password text box Splunk AppleConnect authentication only
    IdMS AppID Key text box Splunk AppleConnect authentication only
    TOTP Secret Code text box Splunk AppleConnect authentication only
    Hostname text box Splunk hostname
    Port text box Splunk port

    Create a schema with the Schema Wizard

    Here are the steps to create a Splunk schema with the Schema Wizard:

    • Sign in to the Incorta UDAP.
    • In the Navigation bar, select Schema.
    • In the Action bar, select + New → Schema Wizard
    • In (1) Choose a Source, specify the following:

      • For Enter a name, enter the schema name.
      • For Select a Datasource, select the Splunk external data source.
      • Optionally create a description.
    • In the Schema Wizard footer, select Next.
    • In (2) Manage Tables, in the Data Panel, first select the name of the Data Source, and then check the Select All checkbox.
    • In the Schema Wizard footer, select Next.
    • In (3) Finalize, in the Schema Wizard footer, select Create Schema.

    Create a schema with the Schema Designer

    Here are the steps to create a Splunk schema using the Schema Designer:

    • Sign in to the Incorta UDAP.
    • In the Navigation bar, select Schema.
    • In the Action bar, select + New → Create Schema.
    • In Name, specify the schema name, and select Save.
    • In Start adding tables to your schema, select Splunk.
    • In the Data Source dialog, specify the Splunk table data source properties.
    • Select Add.
    • In the Table Editor, in the Table Summary section, enter the table name.
    • To save your changes, select Done in the Action Bar.

    Splunk table data source properties

    For a schema table in Incorta, you can define the following Splunk specific data source properties as follows:

    Property Control Description
    Type drop down list Default is Splunk
    Data Source drop down list Select the Splunk external data source
    Report Entry Method drop down list Select an option for specifying the report to create the schema table from:
  • Fully qualified name
  • Select from list
  • Report’s Fully Qualified Name text box This property appears when the value of Report Entry Method is Fully qualified name. Enter the full name of the report.
    Report drop down list This property appears when the value of Report Entry Method is Select from list. Select an available report from the list.
    Start Date drop down list Select the time window of the report
    Full Load Start Date text box This property appears when the value of Start Date is Custom Date. Enter the custom date in yyyy-mm-dd format.
    Page Size (in rows) text box Enter the number of records in a page for the REST API request
    Callback toggle Enables the Callback URL field
    Callback URL text box This property appears when the Callback toggle is enabled. Specify the URL.

    Start date options

    The start date options apply to unscheduled reports only:

    • Report’s Default Start Time: This option will use the default time window of the report.
    • All Time: This option will run the report to retrieve all available data without restricting the time window.
    • Custom Date: This option allows the user to enter a custom date to get the data from that date.

    For scheduled reports, data is extracted from the last load job. In other words, incremental and full loading is supported for unscheduled reports, and full loading only is supported for scheduled reports.

    View the schema diagram with the Schema Diagram Viewer

    Here are the steps to view the schema diagram using the Schema Diagram Viewer:

    • Sign in to the Incorta UDAP.
    • In the Navigation bar, select Schema.
    • In the list of schemas, select the Splunk schema.
    • In the Schema Designer, in the Action bar, select Diagram.

    Load the schema

    Here are the steps to perform a Full Load of the Splunk schema using the Schema Designer:

    • Sign in to the Incorta UDAP.
    • In the Navigation bar, select Schema.
    • In the list of schemas, select the Splunk schema.
    • In the Schema Designer, in the Action bar, select Load → Load Now → Full.
    • To review the load status, in Last Load Status, select the date.

    Explore the schema

    With the full load of the Splunk schema complete, you can use the Analyzer to explore the schema, create your first insight, and save the insight to a new dashboard.

    To open the Analyzer from the schema, follow these steps:

    • In the Navigation bar, select Schema.
    • In the Schema Manager, in the List view, select the Splunk schema.
    • In the Schema Designer, in the Action bar, select Explore Data.