Heating up the Data Pipeline (Part 4)

In this last part of the "Heating up the Data Pipeline" blog series, we will go through some potentially useful NiFi dataflows.

Previous Parts: Part 1 Part 2 Part 3

Updating Splunk Lookup Files with SQL Query Data

The following simple workflow pulls data from a SQL Database using a JDBC connection. The ExecuteSQL processor returns data in Avro format. The results will be send through the ConvertRecord Processor to convert from Avro into CSV.

As Splunk does not allow to directly upload CSV files, we have to put the data into a Spooldir on the Splunk Server. In this case Splunk resides on the same server, so we can use the PutFile Processor. 

We could also use the PutSFTP Processor for transferring the file to a remote server.

Finally we will assemble the proper POST request, and invoke the REST endpoint.

































Splunk Event Copier

Sometimes you want to copy a subset of events from a production system to a test system in near-realtime. The following workflow uses the GetSplunk Processor to execute searches against a search head. The processor runs continuously and fetches new events based on _indextime and then emits one JSON document per event. 

Using the EvaluateJSON document we will extract attributes, which we will again put together into a Splunk HEC compatible format.

Remember that you don't have to send data 1-to-1 to the target system. E.g. you could anonymize or mask the data on-the-fly.



















Sending Splunk Events to Files

There might be cases where events have to be writteninto files on a standard file system. Using extracted attributes and the NiFi Expression Language you can specify the directory structure where the files are put. Using the Merge processor, you can bundle multiple events into one file.

Remember that there is also a CompressContent Processor to compress the files if needed.
















Time based path with NiFi Expression Language:

${sourcetype}_${filename}_${now():format('yyyyMMddHHmmss.SSS')}



Sending Splunk Events to HDFS Files

Maybe you want to send data to HDF Files. Instead of the PutFile Processor you would use the PutHDFS Processor. 

With the right directory structure, you can easily access the data with Splunk Hadoop Analytics (formerly known as Hunk)!

Note: HDFS likes large files, so try to find the right relation between latency and file size, when playing with the MergeProcessor.


























Sending Splunk Events to HDFS Parquet Files

Last but not least, Apache NiFi can also write data in HDFS Parquet Format. Also Parquet is  supported by Splunk Hadoop Analytics, should you want to analyse this data.






























Conclusion

I hope you have enjoyed this blog series about Splunk and Apache NiFi.

Apache NiFi is a powerful solution to fill the gaps when it comes to data pre-processing with Splunk.

We only scratched the surface here of what's possible with NiFi, and I'm very interested in use cases you will build. If you send them to me, I can post them on this blog.

Lastly, I would like to thank the very active NiFi community on the mailinglist for helping me building some of the workflows.

Comments

Post a Comment

Popular posts from this blog

SLOG Latency

Image
After reading Brendan's newest blog entry, I was curious about what kind of slog latency we can see for our data migration load. To remind you, only synchronous writes go into the slog SSD devices. As this is a migration running, we can see mostly NFS write operations: In our configuration the SSD slog is mirrored (HDD4 and HDD8). Hence the same number of IOPS: The next picture shows us the latency for our SDD SLOG Device HDD 4. We can see here that latencies start at 79 us and are mostly under 200 us. There are some outliers, but approx. 95% are under 500 us: This matches quite well with the values Brendan blogged about (137-181 us), which includes NFSv3 latency. For reference (no picture here), we can see latencies of about 170-500 us mostly for NFSv4. By the way. SLOG Devices are mostly one way devices, as shown here. Only if things go really bad, they are read from...
Read more

Heating up the Data Pipeline (Part 1)

Image
Pre-Processing Data I often hear the question from our customers, how data can be transformed prior to indexing in Splunk. Damien from  Baboonbones  has done a tremendous job in creating add-ons   providing custom inputs for Splunk. Most of his custom inputs provide the means to pre-process data by allowing custom event handlers to be written. Sometimes you still want to pre-process data that gets collected from Splunk's standard input types, like file monitors, Windows EventLogs, scripted inputs etc. Also, not everyone is capable of writing custom event handlers. A requirement these customers have, is that they have rolled out a large number of Splunk Universal Forwarders and they do not want to install another agent. To summarize, the solution capable of pre-processing data, should be easy to use, be easily integrated and be build on top of their existing architecture. How to plumb Splunk Pipelines Splunk has its own fittings to connect a Universal Forwar
Read more

Heating up the Data Pipeline (Part 2)

Image
In Part 1 we went through how to route events from Splunk to a 3rd party system without losing metadata. Now I'll show you how events can be transformed using Apache NiFi and be sent back to Splunk into the  HTTP Event Collector . Note: The following is not a step-by-step documentation. To learn how to use Apache NiFi you should read the G etting Started Guide . Simple Pass-Through Flow As a first exercise we will create a simple flow, that only passes data through NiFi, without applying any complex transformations. The following picture shows a high-level NiFi flow, that receives events in our custom uncooked event format with a TCP listener, then sends the data further into a transformation "black box" (aka Processor Group), which emits events in a format, that can be ingested into a Splunk HTTP Event Collector input. Apache Nifi currently provides a rapidly growing number of processors (currently 266), which can be used for data ingestion, transfo
Read more