Splunk Input

The Splunk Input step connects to a Splunk server, runs a Splunk query, and returns results to your transformation.

For more information about Splunk, see the Splunk documentation.

Prerequisites

You must have read access to a Splunk server. Contact your Splunk administrator for the host name and port.

General

Step name: Specify the unique name of the Splunk Input step on the canvas. You can customize the name or leave it as the default.

Connection tab

Use this tab to configure the Splunk connection.

Option

Description

Host name(s) or IP address(es)

Network name or IP address of the Splunk instance (or instances).

Port

Port for the Splunk (splunkd) server. Default is 8089 (your administrator might have changed this).

User name

User name required to access the Splunk server.

Password

Password for the user.

Test connection

Tests the connection using the configured settings.

Preview

Previews results. Specify the preview size, then review the results in the preview window.

Fields tab

Use this tab to define the Splunk query and the output fields.

Splunk query expression

Unlike queries in the Splunk UI, you must start the query with search.
Example:

search * | head 100

Splunk search supports field selection, which can give you access to Splunk-parsed fields inside the _raw field. To select specific fields, add a fields command:

... | fields index source OpCode

Execute for each row

If you select Execute for each row, the step runs a new query for each incoming row.

You can reference incoming fields by using ?{<Field>}. For example, to drive the result limit from an incoming field named Size:

search * | head ?{Size}

Output fields table

Column

Description

Name

Output field name in PDI.

Splunk name

Field name as returned by Splunk.

Type

Output data type.

Length

Output field length.

Format

Output field format.

Select Get fields to load field metadata into the table. Removing unused fields can improve performance.

Select Preview to preview data.

Raw field parsing

The step attempts to parse the _raw field into child fields named:

_raw.<FieldName>

The parser expects name/value pairs separated by newlines, like:

<Name1>=<Value1>
<Name2>=<Value2>

If your raw field data is not formatted this way, post-process the values using other steps.

Date handling

Splunk commonly returns dates in ISO-8601 format through web services. If you need to parse these dates, you can transform the date string using Modified Java Script Value.

Example script:

var dateobj = str2date((substr(_time, 0, 23) + "GMT" + substr(_time, 23)).trim(), "yyyy-MM-dd'T'HH:mm:ss.SSSz");

Metadata injection support

All fields of this step support metadata injection. You can use this step with ETL metadata injection to pass metadata to your transformation at runtime.

PreviousSplit Fields NextSplunk Output

Last updated 1 month ago

Was this helpful?

hashtagPrerequisites

hashtagGeneral

hashtagConnection tab

hashtagFields tab

hashtagSplunk query expression

hashtagExecute for each row

hashtagOutput fields table

hashtagRaw field parsing

hashtagDate handling

hashtagMetadata injection support