splunksummit 2015 - http event collector, simplified developer logging
TRANSCRIPT
![Page 1: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/1.jpg)
Copyright © 2015 Splunk Inc.
Glenn Block (@gblock) – Principal Product Manager Jian Lee – Senior SoFware Engineer Splunk Developer PlaKorm & Core
HTTP Event Collector, Simplified Developer Logging
Andrew Phillips Senior SE, Splunk
![Page 2: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/2.jpg)
Disclaimer
2
During the course of this presentaUon, we may make forward looking statements regarding future events or the expected performance of the company. We cauUon you that such statements reflect our current expectaUons and esUmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presentaUon are being made as of the Ume and date of its live presentaUon. If reviewed aFer its live presentaUon, this presentaUon may not contain current or
accurate informaUon. We do not assume any obligaUon to update any forward looking statements we may make.
In addiUon, any informaUon about our roadmap outlines our general product direcUon and is subject to change at any Ume without noUce. It is for informaUonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaUon either to develop the features
or funcUonality described or to include any such feature or funcUonality in a future release.
![Page 3: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/3.jpg)
HTTP Event Collector
3
• A new token-‐based JSON API for events
• Send events directly from anywhere (servers, mobile devices, IOT)
• Easy to configure / works out of the box.
• Easy to secure • Highly performant, scalable and available
![Page 4: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/4.jpg)
How you use • Enable HTTP Event Collector • Create/Get a token • Send events to Splunk using the token
– Use HTTP Directly ê Create a POST request and set the Auth header with the token
ê POST JSON in our event format to the collector
– Use logging libraries ê Support for .NET, Java and JavaScript loggers
4
![Page 5: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/5.jpg)
Demo Configuring HTTP Event Collector
![Page 6: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/6.jpg)
Demo Using the HTTP Event Collector With CURL
![Page 7: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/7.jpg)
Sending data //send with curl curl -‐k https://localhost:8088/services/collector -‐H 'Authorization: Splunk 46931F1C-‐352C-‐4DF6-‐820C-‐F2689CF88494' -‐d '{"event":"Hello Event Collector"}'
7
![Page 8: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/8.jpg)
Overriding defaults
8
![Page 9: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/9.jpg)
Demo Using the HTTP Event Collector With nodejs
![Page 10: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/10.jpg)
./splunk_hhpinput/local/inputs.conf Global Stanza
Token Stanza
Token Name
Enable/Disable the collector
Auth token Enable/Disable the token
Default metadata
Default metadata
Default index
Allowed indexes
![Page 11: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/11.jpg)
./splunk_hhpinput/defaults/inputs.conf
Default port
SSL Enabled by default
Distributed deployment disabled
![Page 12: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/12.jpg)
Event Collector CLI
12
./bin/splunk hhp-‐event-‐collector help
![Page 13: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/13.jpg)
Permissions and delegaUon
HTTP Event Collector requires the edit_token_h7p cap.
You can delegate token admin to devops / eng
Token admins can only manage the feature, they do not have any other admin permissions in Splunk
13
![Page 14: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/14.jpg)
A few Ups Create tokens per app, department, component, service. etc. Not per user or device especially if you are talking about a large number (> 10000)
Consider parUUoning tokens to different indexes. This will speed up searches and make it easy to archive
Consider delegaUng token management to devops/eng Explicitly set allowed indexes on the token. If not set, the token can send data to any index.
Use HTTP over HTTPS when you can. You can get about a 30% performance gain.
Ask your devs to batch events. It greatly improves throughtput.
14
![Page 15: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/15.jpg)
15
![Page 16: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/16.jpg)
Scale and High Availability
16
Indexers
Search Head / Deployment Server
![Page 17: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/17.jpg)
Scale and High Availability
17
Event Collectors Indexers Search Heads
![Page 18: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/18.jpg)
Distributed deployment
HTTP Event Collector can scale to meet your needs! • Built into splunkd, nothing special to install • Run directly on the indexer • Or run on a dedicated Collector instance and forward to an indexer • Uses Deployment Server to sync tokens across the Collector instances
18
![Page 19: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/19.jpg)
How to setup a DS client
splunk set deploy-‐poll [host]:8088 splunk enable deploy server splunk restart
19
![Page 20: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/20.jpg)
Demo Distributed deployment
![Page 21: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/21.jpg)
Demo TroubleshooUng/ Monitoring
![Page 22: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/22.jpg)
3rd party integraUons
22
![Page 23: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/23.jpg)
Send your container logs DIRECTLY to Splunk
23
![Page 24: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/24.jpg)
How it works
A new log driver capture container’s stdout and pushes to Splunk Currently it is in development, but should be out of the box soon. We’re contribuUng to Docker!!!!!!! docker run -‐-‐log-‐driver=splunk -‐-‐log-‐opt splunk-‐token=F81DD289-‐863D-‐45EF-‐B9CE-‐A7D3514AF2C7 -‐-‐log-‐opt splunk-‐url=h7ps://10.20.17.169:8088 -‐-‐log-‐opt splunk-‐insecureskipverify=true hello-‐world
24
![Page 25: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/25.jpg)
And finally, some useful resources: Developer page for HEC: – hhp://dev.splunk.com/view/event-‐collector/SP-‐CAAAE6M
nodejs logger – hhps://www.npmjs.com/package/splunk-‐bunyan-‐logger
JS Logging resources: – hhp://dev.splunk.com/view/splunk-‐logging-‐javascript/SP-‐CAAAE6U
HTML5 code for shake demo – hhps://github.com/splunk/parallel-‐piper
25
![Page 26: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/26.jpg)
Demo: Docker driver
26
![Page 27: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/27.jpg)
Next steps?
27
Breakouts Ø Liberate Your ApplicaUon Logging More informaUon Ø docs.splunk.com, see "Gevng Data In" Ø dev.splunk.com
Come by the Developer Booth and say hi / ask quesSons!
Related breakout sessions and acUviUes…
![Page 28: SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging](https://reader033.vdocuments.site/reader033/viewer/2022052915/5879628d1a28ab1e388b6817/html5/thumbnails/28.jpg)
THANK YOU