This page is no longer maintained (Jul 12, 2023). For the most current information, go to Splunk Writer.
On this Page
Snap type:
Write
Description:
This Snap writes data to a given Splunk index.
Expected upstream Snaps: Upstream Snap is required. Any Snap with a binary output view can be connected upstream.
Expected downstream Snaps: Downstream Snap is optional. Any Snap with a document input view can be connected downstream.
Expected input: The Snap requires binary input data. Input data is typically CSV or log data. If the header of the binary input data contains values for 'content-type' and 'content-location', the 'content-type' value is mapped to the 'sourcetype' field, and 'content-location', to the 'source' field in Splunk. This header information is automatically generated when you read a file from File Reader or similar Snaps. If the upstream Snap is Multi File Reader Snap, Splunk Writer Snap can receive one or more binary data with a header information for each binary data.
Expected output: If the data uploading is completed successfully, the Snap produces an output document with {"status": "success"}. If it fails, an error document is written to the error view.
This Snap uses account references created on the Accounts page of SnapLogic Manager to handle access to this endpoint. The Snap requires a Splunk basic auth account.
Views:
Input
This Snap has exactly one binary input view. It must contain one or more binary data objects.
Output
This Snap has at most one document output view and may provide a document with {"status": "success"} if the upload is successful.
Error
This Snap has at most one document error view and produces zero or more documents in the view. If the Snap fails during the upload of data, an error document is sent to the error view containing the fields error, reason, resolution, and stacktrace:
{
"error": "Failed to upload data to Splunk",
"reason": "<an error message from Splunk>",
"resolution": "Please address the reported issue."
"stacktrace":"com.Snaplogic.Snap.api.SnapDataException: ... "
}
Settings
Label
Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.
Splunk index
Required. A repository for data in Splunk Enterprise. When Splunk Enterprise indexes raw event data, it transforms the data into searchable events. You may select one from the suggested list. If the "=" button is pressed, it can be an expression evaluated with pipeline parameters.
Example: main test_index, _myindex (with the "=" button pressed)
Default value: [None]
host
Specify the host argument of the event. For more information refer toSplexicon: Host, and host.
Default value: [None]
host_regex
Specify the host_regex argument of the event. For more information refer tohost_regex.
Default value: [None]
source
Specify the host_regex argument of the event. For more information refer to Splexicon: Source.
Select one of the three modes in which the Snap executes. Available options are:
Validate & Execute: Performs limited execution of the Snap, and generates a data preview during Pipeline validation. Subsequently, performs full execution of the Snap (unlimited records) during Pipeline runtime.
Execute only: Performs full execution of the Snap during Pipeline execution without generating preview data.
Disabled: Disables the Snap and all Snaps that are downstream from it.
Examples
In the Splunk Writer Snap below, the "test_index" is selected from the suggested list of indexes.
The following image shows the preview of Multi File Reader Snap output view. Please note that there are two binary data with "content-type" and "content-location" values. These two files are read from a SFTP server.
The following image is the preview of Splunk Search Snap with a search query "search index=test_index | head 3" and a time setting of "last 1 minute". The Splunk Search Snap is executed immediately after the execution of the above pipeline. Please note this preview shows three events of the "lsof.log" file uploaded in the above pipeline, which correspond to three rows in the log file.
Snap Pack History
Click to view/expand
Release
Snap Pack Version
Date
Type
Updates
August 2023
main22460
Stable
Updated and certified against the current SnapLogic Platform release.
May 2023
main21015
Stable
Updated and certified against the current SnapLogic Platform release.
February 2023
main19844
Stable
Updated and certified against the current SnapLogic Platform release.
November 2022
main18944
Stable
Updated and certified against the current SnapLogic Platform release.
August 2022
main17386
Stable
Upgraded with the latest SnapLogic Platform release.
4.29
main15993
Stable
Upgraded with the latest SnapLogic Platform release.
4.28 Patch
428patches14332
Latest
Upgraded the Splunk library to version 1.6.5.0 to fix an issue with the Splunk Search Snap, where the Snap displayed a 401 Unauthorized access error despite entering valid credentials.
4.28
main14627
Stable
Upgraded with the latest SnapLogic Platform release.
Fixed the connection failure issue when connecting to a cloud-based Splunk instance by not adding the prefix 'input-'to the hostname.
Removed the On-premises checkbox from the Snap Account settings.
4.27
main12833
Stable
Upgraded with the latest SnapLogic Platform release.
4.26
main11181
Stable
Upgraded with the latest SnapLogic Platform release.
4.25
main9554
Stable
Upgraded with the latest SnapLogic Platform release.
4.24
main8556
Stable
Upgraded with the latest SnapLogic Platform release.
4.23
423patches7504
Latest
Enhances theSplunk SearchSnap by adding a new field,Response Mode, which allows receiving either JSON or XML response from the Splunk server. The default mode is XML, to enable backward compatibility.
4.23
main7430
Stable
Upgraded with the latest SnapLogic Platform release.
4.22
422patches7312
Latest
Enhances theSplunk SearchSnap by adding a new field,Response Mode, which allows receiving either JSON or XML response from the Splunk server. The default mode is XML, to enable backward compatibility.
4.22
main6403
Stable
Upgraded with the latest SnapLogic Platform release.
4.21
421patches5851
Latest
Fixes the Splunk Snaps that fail to route connection errors to error view, thus aborting the Snaps.
4.21
snapsmrc542
Stable
Upgraded with the latest SnapLogic Platform release.
4.20
snapsmrc535
Stable
Upgraded with the latest SnapLogic Platform release.
4.19
splunk8425
Latest
Fixes the Splunk Search Snap where the output data do notdisplay some of the preview fields.
Added the preview field to the Splunk Search Snap output to allow users to select between preview and actual search results to pass on to downstream Snaps.
4.19
snaprsmrc528
Stable
Upgraded with the latest SnapLogic Platform release.
4.18
splunk7812
Latest
Added properties named Earliest Relative, Latest Relative, and Preset Relative Search to the Splunk Search Snap to fix an issue wherein the Snap returns inaccurate and inconsistent results regarding last-30-day and year-to-date searches.
4.18
snapsmrc523
Stable
Upgraded with the latest SnapLogic Platform release.
4.17
ALL7402
Latest
Pushed automatic rebuild of the latest version of each Snap Pack to SnapLogic UAT and Elastic servers.
4.17
snapsmrc515
Latest
Added the Snap Execution field to all Standard-mode Snaps. In some Snaps, this field replaces the existing Execute during preview check box.
4.16
snapsmrc508
Stable
Upgraded with the latest SnapLogic Platform release.
4.15
snapsmrc500
Stable
Upgraded with the latest SnapLogic Platform release.
4.14
splunk5963
Latest
Updated the Splunk Search Snap to stream results directly to the client without storing them in the server.
4.14
snapsmrc490
Stable
Upgraded with the latest SnapLogic Platform release.
4.13
snapsmrc486
Stable
Upgraded with the latest SnapLogic Platform release.
4.12
snapsmrc480
Stable
Upgraded with the latest SnapLogic Platform release.
4.11
snapsmrc465
Stable
Upgraded with the latest SnapLogic Platform release.
4.10
snapsmrc414
Stable
Upgraded with the latest SnapLogic Platform release.
4.9
snapsmrc405
Stable
Upgraded with the latest SnapLogic Platform release.
4.8
snapsmrc398
Stable
Upgraded with the latest SnapLogic Platform release.
4.7
snapsmrc382
Stable
Upgraded with the latest SnapLogic Platform release.
4.6
snapsmrc362
Stable
Upgraded with the latest SnapLogic Platform release.
4.5.1
snapsmrc344
Stable
Upgraded with the latest SnapLogic Platform release.
4.5
snapsmrc344
Stable
Resolved an issue in Splunk Search Snap to ensure that the same errors are reported on Java 7 and Java 8 Snaplexes.
4.4.1
NA
Stable
Splunk Search: Resolved an issue with the message presented when a non-JavaScript expression was used in a Search.
Splunk Search: Resolved an issue with the input schema not populating after enabling an expression.
4.3.2
NA
Stable
Added SSL support to the Splunk Account.
4.3.1
NA
Stable
Feature: Additional configuration parameters for the Splunk Writer Snap.
May 15, 2015
NA
Stable
Addressed the following issue: Splunk Write: Writer does not throw error if Index is disabled. Instead pipelines successfully runs, but no data inserted.