Splunk® Data Stream Processor

Function Reference

DSP 1.2.0 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Send data to SignalFx (trace)

Use the Send Trace Data to SignalFx sink function to send trace data in Zipkin format to a SignalFx endpoint.

SignalFx trace values in DSP are a collection of maps with a common trace ID, formatted as Zipkin spans. Each span represents some type of remote activity such as RPC calls, or messaging producers and consumers. See the Zipkin Data Model documentation for more details.

Prerequisites

Before you can use this function, you must create a connection. See Create a connection to SignalFx in the Connect to Data Sources and Destinations with the manual. When configuring this sink function, set the connection_id argument to the ID of that connection.

Function input schema

collection<record<R>>
This function takes in collections of records with schema R.

Required arguments

connection_id
Syntax: string
Description: The SignalFx connection ID.
Example in Canvas View: "576205b3-f6f5-4ab7-8ffc-a4089a95d0c4"
trace_value
Syntax: expression<collection<map<string,any>>>
Description: The SignalFx trace values can be constructed in one of the following ways:
  • Use DSP scalar functions to dynamically construct the trace value expressions.
  • Write a literal expression in the trace_value argument using Zipkin syntax. For example: [{"traceId": "my_traceId", "id": "id-value"}].
The following mandatory Zipkin arguments must be included in all expressions:
  • traceId: String. A unique identifier for a trace. Encoded as 16 or 32 lowercase hex characters corresponding to 64 or 128 bits.
  • id: String. A unique 64 bit identifier for the operation within the trace. Encoded as 16 lowercase hex characters.
See the Zipkin API POST /spans documentation for a complete list of mandatory and optional arguments that can be used for the expressions.
Example in Canvas View: [{"traceId": "my_traceId", "id": "id-value"}]

Optional arguments

parameters
Syntax: map<string, string>
Description: Defaults to empty { }. Key-value pairs that can be passed to SignalFx. This can be set to:
  • batch_size: The maximum number of elements to flush. The batch size can range between 50 and 10,000 elements. The default value is 2000.
  • batch_interval_msecs: The maximum time to wait before flushing. The batch size interval can range between 50 and 100,000 milliseconds. The default value is 2000.
Example in Canvas View: batch_size = 1000

SPL2 example

In these examples, the trace_value is constructed with a literal expression.

When working in the SPL View, you can write the function by providing the arguments in this exact order.

...| into signalfx_trace("my-signalfx-connection", [{"traceId": "my_traceId", "id": "id-value"}],  {"batch_size": "1000", "batch_interval_msecs": "10000"});

Alternatively, you can use named arguments to declare the arguments in any order and omit any optional arguments you don't want to declare. All unprovided arguments use their default values. The following example provides the arguments in an arbitrary order.

...| into signalfx_trace(trace_value: [{"traceId": "my_traceId", "id": "id-value"}], connection_id: "my-signalfx-connection", parameters: {"batch_size": "1000", "batch_interval_msecs": "10000"});

If you want to use a mix of unnamed and named arguments in your functions, you need to list all unnamed arguments in the correct order before providing the named arguments.

Port requirements

The Write to SignalFx function sends HTTP requests to the SignalFx endpoint via a dynamic or ephemeral port. Your local firewall configuration must be set up to allow outgoing HTTP traffic from at least one of the ports in the range of dynamic or ephemeral ports allocated by your operating system. These ports typically range from 49152 to 65535, but this can be different depending on the specific operating system you are using.

Last modified on 14 April, 2021
Send data to SignalFx (metric)   Send data to null

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters