Splunk Node
The Splunk node provides users access to their machine generated data (like logs) that have been stored in Splunk.
The Splunk node enables fast complex SQL queries to Splunk and pushes down supported SQL operations, like filters and aggregations, directly to Splunk.
Prerequisites
Follow the steps below to add credentials for Splunk. You must have a valid Splunk URL, username, and password.
- Drag a Splunk node onto the Ex Machina workspace
- Select the gear icon beside the Credential field
- Select the plus sign in the upper right corner
- Enter a name for the credential
- Enter the URL to Splunk web interface
- Enter the username and password you use to access Splunk
The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.
Configuration
| Field | Description |
|---|---|
| Namedefault=none | A user-specified node name displayed in the canvas |
| Credential*Required | The information needed to access Splunk dataSelect a saved credential from the dropdown menu. Select the gear icon to add a new credential or delete existing credentials. |
| Select Table or Define Query*Required | The data to uploadSelect the table you want to upload from the auto-populated dropdown menu or enter a SQL query that returns the desired data. |
| Filter by Valuedefault=none | Configure filters to be applied to dataUse the dropdown fields to filter results. Filter options include is null, is not null, is equal, is not equal, begins with, ends with, in between, is less than, is less than or equal to, is greater than, and is greater than or equal to. Filters can be applied on any column datatype. Add additional filters to create "And" conditional logic treatment. |
Node Inputs/Outputs
| Input | None |
|---|---|
| Output | Ex Machina returns a table, called a dataframe, that contains all uploaded data. Columns are labeled and include a symbol that specifies the data type of that column. |
Figure 1: Example dataframe output
Examples
- Select the Splunk credential and table ("SearchJobs" in this example) that contains the desired data.
- Select Run to create a dataframe.
Figure 2: Example Splunk configuration
Figure 3: Example dataframe created from a Splunk table
- Select a Splunk credential.
- Write a query that returns the desired data. In the example below, the query returns data on the SearchJobs table from Splunk limiting to only 2 rows.
- Select Run to create a dataframe.
Figure 4: Example Splunk configuration using a query
Figure 5: Example dataframe created from a Splunk query
- Select the Splunk credential and table ("SearchJobs" in this example) that contains the desired data.
- Add a filter using the Filter by Value optional input. The input allows users to easily and visually configure ways to filter--for example by selecting a string column and only selecting rows that begin with a certain letter or selecting a numeric column and only returning results where the value is greater than a user specified input.
- Select Run to create a dataframe.
Figure 6: Example Splunk configuration using a filter
Figure 7: Example dataframe created using a filter