Documentation ¶
Overview ¶
The splunk package is an event handler responsible for sending events to Splunk via the HTTP API.
In the event that the Splunk API endpoint uses HTTPS and a certificate not recognized by the standard certificate authorities, you may use add the server/CA cert to splunk.CACerts. The CA cert for Splunk cloud is already recognized.
Template ¶
The splunk template provides a few extra functions on top of the default sawmill event formatter template.
Hostname - The system hostname (os.Hostname()) Source - The application name (path.Base(os.Argv[0])) Pid - The process ID (os.Getpid())
Example ¶
package main import ( "github.com/phemmer/sawmill" "github.com/phemmer/sawmill/handler/splunk" ) const splunkURL = "https://foo:bar@input-prd-p-qrdznsbgja1b.cloud.splunk.com:8089" func main() { defer sawmill.Stop() logger := sawmill.DefaultLogger() handler, err := splunk.New(splunkURL) if err != nil { logger.Fatal("Unable to initialize splunk", sawmill.Fields{"error": err}) } logger.AddHandler("splunk", handler) logger.Info("Splunk enabled") }
Output:
Index ¶
Examples ¶
Constants ¶
const SplunkFormat = "{{.Time \"2006-01-02 15:04:05.000 -0700\"}} {{.Level}}({{.Event.Level.Int}}) {{Source}}[{{Pid}}]: " + formatter.SIMPLE_FORMAT
SplunkFormat is the default template format. It is meant to work with the 'syslog' splunk sourcetype, such that the splunk field extraction matches most of the headers. The only header not properly parsed is the level.
const SplunkSourceType = "syslog"
SplunkSourceType is the default splunk source type
Variables ¶
var CACerts = x509.NewCertPool()
CACerts is an x509 cert pool used when the Splunk API endpoint is using HTTPS, and has a certificate not recognized by the standard certificate authorities. You may add custom certificates to the pool, even after the handler has been instantiated.
var TLSConfig = &tls.Config{RootCAs: CACerts}
TLSConfig is the config used by the splunk handler for unrecognized certificate authoritiess.
Functions ¶
This section is empty.
Types ¶
type SplunkHandler ¶
type SplunkHandler struct { Template *template.Template Index string SourceType string Hostname string Source string // contains filtered or unexported fields }
All of the exported attribues are safe to replace before the handler has been added into a logger.
func New ¶
func New(splunkURL string) (*SplunkHandler, error)
New constructs a new splunk handler.
The URL parameter is the URL of the Splunk API endpoint (e.g. https://user:pass@splunk.example.com:8089), and must contain authentication credentials. The URL may include a few query parameters which override default settings:
index - The index to send events to. Default: "default" sourcetype - The source type to report log entries as. Default: "syslog" hostname - The hostname to report as the origin of the log entries. Default: os.Hostname() source - The source metadata parameter to send log entries with. Default: base(os.Argv[0])
If the Splunk server uses https and has a cert not recognized by a standard certificate authority, you can use splunk.CACerts to add the CA/server certificate.