Versions Compared

Old Version 8

changes.mady.by.user Vidya Patil

Saved on

compared with

New Version 9

changes.mady.by.user Vidya Patil

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Snap type:

Write


Description:

This Snap writes data to a given Splunk index.

  • Expected upstream SnapsUpstream Snap is required. Any Snap with a binary output view can be connected upstream.
  • Expected downstream SnapsDownstream Snap is optional. Any Snap with a document input view can be connected downstream.
  • Expected input: The Snap requires binary input data. Input data is typically CSV or log data. If the header of the binary input data contains values for 'content-type' and 'content-location', the 'content-type' value is mapped to the 'sourcetype' field, and 'content-location', to the 'source' field in Splunk. This header information is automatically generated when you read a file from File Reader or similar Snaps. If the upstream Snap is Multi File Reader Snap, Splunk Writer Snap can receive one or more binary data with a header information for each binary data.
  • Expected outputIf the data uploading is completed successfully, the Snap produces an output document with {"status": "success"}. If it fails, an error document is written to the error view.


Prerequisites:

[None]


Support and limitations:


Account: 

This Snap uses account references created on the Accounts page of SnapLogic Manager to handle access to this endpoint. The Snap requires a Splunk basic auth account.


Views:


Input

This Snap has exactly one binary input view. It must contain one or more binary data objects.

Output

This Snap has at most one document output view and may provide a document with {"status": "success"} if the upload is successful.

Error

This Snap has at most one document error view and produces zero or more documents in the view. If the Snap fails during the upload of data, an error document is sent to the error view containing the fields error, reason, resolution, and stacktrace:

Code Block
{
        "error": "Failed to upload data to Splunk",
        "reason": "<an error message from Splunk>",
        "resolution": "Please address the reported issue."
        "stacktrace":"com.Snaplogic.Snap.api.SnapDataException:  ... "
}


Settings

Label


Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Splunk index



Required. A repository for data in Splunk Enterprise. When Splunk Enterprise indexes raw event data, it transforms the data into searchable events. You may select one from the suggested list. If the "=" button is pressed, it can be an expression evaluated with pipeline parameters.

Example  main
                  test_index,
                  _myindex (with the "=" button pressed)

Default value:  [None]


host

Specify the host argument of the event. For more information refer to Splexicon: Host, and host.

Default value:  [None]

host_regex

Specify the host_regex argument of the event. For more information refer to host_regex.

Default value: [None]

source

Specify the host_regex argument of the event. For more information refer to Splexicon: Source

Default value: [None]

sourcetype

Specify the host_regex argument of the event. For more information refer to sourcetype and Splexicon: Source type.

Default value: [None]

Execute during preview

This property enables you to execute the Snap during the Save operation so that the output view can produce the preview data.

Default value: Not selected


Examples

In the Splunk Writer Snap below, the "test_index" is selected from the suggested list of indexes.

 Image Removed

Image Added

The following image shows the preview of Multi File Reader Snap output view. Please note that there are two binary data with "content-type" and "content-location" values. These two files are read from a SFTP server.


 


The following image is the preview of Splunk Search Snap with a search query "search index=test_index | head 3" and a time setting of "last 1 minute". The Splunk Search Snap is executed immediately after the execution of the above pipeline. Please note this preview shows three events of the "lsof.log" file uploaded in the above pipeline, which correspond to three rows in the log file.

 


Insert excerpt
Splunk Snap Pack
Splunk Snap Pack
nopaneltrue