Splunk® Data Stream Processor

Function Reference

DSP 1.2.1 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.

Send data to Splunk APM

Use the Send to Splunk APM sink function to send trace data in Zipkin format to a Splunk APM endpoint.

Splunk APM trace values in the are a collection of maps with a common trace ID, formatted as Zipkin spans. Each span represents some type of remote activity such as RPC calls, or messaging producers and consumers. See the Zipkin Data Model documentation for more details.

Prerequisites

Before you can use this function, you must create a Splunk Observability connection. See Create a DSP connection to Splunk Observability in the Connect to Data Sources and Destinations with the manual. When configuring this sink function, set the connection_id argument to the ID of that connection.

Function input schema

collection<record<R>>
This function takes in collections of records with schema R.

Required arguments

connection_id
Syntax: string
Description: The Splunk Observability connection ID.
Example: my-splunk-observability-connection
trace_value
Syntax: expression<collection<map<string,any>>>
Description: The Splunk APM trace values can be constructed in one of the following ways:
  • Use scalar functions to dynamically construct the trace value expressions.
  • Write a literal expression in the trace_value argument using Zipkin syntax. For example: [{"traceId": "my_traceId", "id": "id-value"}].
The following mandatory Zipkin arguments must be included in all expressions:
  • traceId: String. A unique identifier for a trace. Encoded as 16 or 32 lowercase hex characters corresponding to 64 or 128 bits.
  • id: String. A unique 64 bit identifier for the operation within the trace. Encoded as 16 lowercase hex characters.
See the Zipkin API POST /spans documentation for a complete list of mandatory and optional arguments that can be used for the expressions.
Example: [{"traceId": "my_traceId", "id": "id-value"}]

Optional arguments

parameters
Syntax: map<string, string>
Description: Defaults to empty { }. Key-value pairs that can be passed to Splunk APM. This can be set to:
  • batch_size: The maximum number of elements to flush. The batch size can range between 50 and 10,000 elements. The default value is 2000.
  • batch_interval_msecs: The maximum time to wait before flushing. The batch size interval can range between 50 and 100,000 milliseconds. The default value is 2000.
Example: batch_size = 1000

SPL2 example

In these examples, the trace_value is constructed with a literal expression.

When working in the SPL View, you can write the function by providing the arguments in this exact order.

...| into signalfx_trace("my-splunk-observability-connection", [{"traceId": "my_traceId", "id": "id-value"}],  {"batch_size": "1000", "batch_interval_msecs": "10000"});

Alternatively, you can use named arguments to declare the arguments in any order and omit any optional arguments you don't want to declare. All unprovided arguments use their default values. The following example provides the arguments in an arbitrary order.

...| into signalfx_trace(trace_value: [{"traceId": "my_traceId", "id": "id-value"}], connection_id: "my-splunk-observability-connection", parameters: {"batch_size": "1000", "batch_interval_msecs": "10000"});

If you want to use a mix of unnamed and named arguments in your functions, you need to list all unnamed arguments in the correct order before providing the named arguments.

Port requirements

The Send to Splunk APM function sends HTTP requests to the Splunk APM endpoint via a dynamic or ephemeral port. Your local firewall configuration must be set up to allow outgoing HTTP traffic from at least one of the ports in the range of dynamic or ephemeral ports allocated by your operating system. These ports typically range from 49152 to 65535, but this can be different depending on the specific operating system you are using.

Last modified on 14 April, 2021
Send data to Splunk Infrastructure Monitoring   Send data to null

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters