Skip to main content

Splunk

Reading time: 0 minute(s) (0 words)

Splunk provides software for searching, monitoring, and analyzing machine-generated data via a Web-style interface. Splunk-Nobl9 integration allows users to enter their metrics using the Splunk Processing Language (SPL).

Splunk parameters and supported features in Nobl9
General support:
Release channel: Stable, Beta
Connection method: Agent, Direct
Replay and SLI Analyzer: Supported
Event logs: Supported
Query checker: Not supported
Query parameters retrieval: Supported
Timestamp cache persistence: Supported

Query parameters:
Query interval: 1 min
Query delay: 5 min
Jitter: 20 sec
Timeout: 30 sec

Agent details and minimum required versions for supported features:
Environment variable: SPLUNK_QUERY_DELAY
Plugin name: n9splunk
Replay and SLI Analyzer: 0.65.0
Maximum historical data retrieval period: 30 days
Query parameters retrieval: 0.73.2
Timestamp cache persistence: 0.65.0

Additional notes:
Self-signed Splunk Enterprise certificates are not supported. Nobl9 requires successful certificate validation for any Splunk Enterprise instance using TLS, and self-signed certificates cannot pass this validation

Requirements​

Splunk API Endpoint URL​

To connect to the required Splunk instance, both direct and agent connection methods require API Endpoint URL to contain the following:

  • SPLUNK_BASE_URL the base URL configured during the deployment of Splunk software, for Splunk Enterprise.
  • PORT_NUMBER: 8089, if the API is using the default port.
    Ask your Splunk administrator for the API Token and correct URL for connecting.

This URL must point to the base API URL of the Splunk Search app.

Usually, the format is {SPLUNK_BASE_URL}:{PORT_NUMBER}/services/.
So, for example, your resulting API Endpoint URL can be https://splunk.my-instance.com:8089/services/.

Typos can happen with manual entry

Here's a quick checklist to avoid request failures:

  • Splunk base URL: confirm it's correct with your Splunk administrator
  • Port: 8089 by default, or your specific port
  • /services/: ensure it's exactly like this

Authentication​

Splunk agent deployment requires authentication. You can authenticate in either way:

  • With Splunk Search App REST API, using SAML.
    For this, pass your Splunk App Token with the SPLUNK_APP_TOKEN environment variable.

  • Passing your token with a local config file under the n9splunk section.

    For example

    Create the cfg.toml file and specify your token as the n9splunk value:

    [n9splunk]
    application_token="YOUR_TOKEN"

    Likewise, you can use your username and password with the app_user and app_password keys.

  • Using the basic authentication method.
    This requires passing your user credentials with the SPLUNK_USER and SPLUNK_PASSWORD environment variables at the agent startup.

Minimum required permissions​

Ensure the following permissions are set for the Nobl9 agent:

  • The search capability
  • Access to index

Alternatively, you can use a wildcard:

splunk minimal role permission

Adding Splunk as a data source​

To ensure data transmission between Nobl9 and your data source, it may be necessary to list Nobl9 IP addresses as trusted.

πŸ’»ip allowlist
IP addresses to include in your allowlist for secure access:

If you're using app.nobl9.com instance:
  • 18.159.114.21
  • 18.158.132.186
  • 3.64.154.26
If you're using us1.nobl9.com instance:
  • 34.121.54.120
  • 34.123.193.191
  • 34.134.71.10
  • 35.192.105.150
  • 35.225.248.37
  • 35.226.78.175
  • 104.198.44.161

You can add the Splunk data source using the direct or agent connection methods.

Direct connection method​

Direct configuration for Splunk requires users to enter their credentials, which Nobl9 stores safely.

Nobl9 Web​

Follow these steps to set up a direct configuration:

  1. Navigate to Integrations > Sources.
  2. Click .
  3. Click the required Source button.
  4. Choose Direct.
  1. Select one of the following Release Channels:
    • The stable channel is fully tested by the Nobl9 team. It represents the final product; however, this channel does not contain all the new features of a beta release. Use it to avoid crashes and other limitations.
    • The beta channel is under active development. Here, you can check out new features and improvements without the risk of affecting any viable SLOs. Remember that features in this channel can change.

  2. Specify API Endpoint URL to connect to your required Splunk instance.
    Example URL: https://splunk.example.com:8089/services/. Make sure it doesn't contain any typos.

  3. Enter the Access Token generated from your Splunk instance (mandatory).

  1. Select a Project.
    Specifying a project is helpful when multiple users are spread across multiple teams or projects. When the Project field is left blank, Nobl9 uses the default project.
  2. Enter a Display Name.
    You can enter a user-friendly name with spaces in this field.
  3. Enter a Name.
    The name is mandatory and can only contain lowercase, alphanumeric characters, and dashes (for example, my-project-1). Nobl9 duplicates the display name here, transforming it into the supported format, but you can edit the result.
  4. Enter a Description.
    Here you can add details such as who is responsible for the integration (team/owner) and the purpose of creating it.
  5. Specify the Query delay to set a customized delay for queries when pulling the data from the data source.
    • The default value in Splunk integration for Query delay is 5 minutes.
    info
    Changing the Query delay may affect your SLI data. For more details, check the Query delay documentation.
  6. Enter a Maximum Period for Historical Data Retrieval.
    • This value defines how far back in the past your data will be retrieved when replaying your SLO based on this data source.
    • The maximum period value depends on the data source.
      Find the maximum value for your data source.
    • A greater period can extend the loading time when creating an SLO.
      • The value must be a positive integer.
  7. Enter a Default Period for Historical Data Retrieval.
    • It is used by SLOs connected to this data source.
    • The value must be a positive integer or 0.
    • By default, this value is set to 0. When you set it to >0, you will create SLOs with Replay.
  8. Click Add Data Source.

sloctl​

To connect the Splunk data source using the direct method, apply the following configuration using the sloctl apply -f command:

apiVersion: n9/v1alpha
kind: Direct
metadata:
name: my-splunk-data-source
displayName: My Splunk data source
project: my-project
spec:
description: Sample Splunk data source use direct connection
releaseChannel: stable
splunk:
url: https://{splunk.my-org}.com/services
accessToken: "[secret]"
logsCollectionEnabled: true
historicalDataRetrieval:
maxDuration:
value: 30
unit: Day
defaultDuration:
value: 15
unit: Day
queryDelay:
value: 6
unit: Minute
FieldTypeDescription
queryDelay.unit
mandatory
enumSpecifies the unit for the query delay. Possible values: Second | Minute.
β€’ Check query delay documentation for default unit of query delay for each source.
queryDelay.value
mandatory
numericSpecifies the value for the query delay.
β€’ Must be a number less than 1440 minutes (24 hours).
β€’ Check query delay documentation for default unit of query delay for each source.
logCollectionEnabled
optional
booleanOptional. Defaults to false. Set to true if you'd like your direct to collect event logs. Contact us to activate it.
releaseChannel
mandatory
enumSpecifies the release channel. Accepted values: beta | stable.
Source-specific fields
splunk.accessToken
mandatory
string, secretEnvironment variable used for authentication with the Splunk Search App REST API. See authentication for more details.
splunk.URL
mandatory
stringBase API URL of the Splunk Search app. See authentication for more details.
Replay-related fields
historicalDataRetrieval
optional
n/aOptional structure related to configuration related to Replay.
❗ Use only with supported sources.
β€’ If omitted, Nobl9 uses the default values of value: 0 and unit: Day for maxDuration and defaultDuration.
maxDuration.value
optional
numericSpecifies the maximum duration for historical data retrieval. Must be integer β‰₯ 0. See Replay documentation for values of max duration per data source.
maxDuration.unit
optional
enumSpecifies the unit for the maximum duration of historical data retrieval. Accepted values: Minute | Hour | Day.
defaultDuration.value
optional
numericSpecifies the default duration for historical data retrieval. Must be integer β‰₯ 0 and ≀ maxDuration.
defaultDuration.unit
optional
enumSpecifies the unit for the default duration of historical data retrieval. Accepted values: Minute | Hour | Day.

Agent connection method​

Nobl9 Web​

Follow the instructions below to configure your Splunk agent.

  1. Navigate to Integrations > Sources.
  2. Click .
  3. Click the required Source button.
  4. Choose Agent.
  1. Select one of the following Release Channels:
    • The stable channel is fully tested by the Nobl9 team. It represents the final product; however, this channel does not contain all the new features of a beta release. Use it to avoid crashes and other limitations.
    • The beta channel is under active development. Here, you can check out new features and improvements without the risk of affecting any viable SLOs. Remember that features in this channel can change.

  2. Specify API Endpoint URL to connect to your required Splunk instance.
    Example URL: https://splunk.example.com:8089/services/. Make sure it doesn't contain any typos.

  1. Select a Project.
    Specifying a project is helpful when multiple users are spread across multiple teams or projects. When the Project field is left blank, Nobl9 uses the default project.
  2. Enter a Display Name.
    You can enter a user-friendly name with spaces in this field.
  3. Enter a Name.
    The name is mandatory and can only contain lowercase, alphanumeric characters, and dashes (for example, my-project-1). Nobl9 duplicates the display name here, transforming it into the supported format, but you can edit the result.
  4. Enter a Description.
    Here you can add details such as who is responsible for the integration (team/owner) and the purpose of creating it.
  5. Specify the Query delay to set a customized delay for queries when pulling the data from the data source.
    • The default value in Splunk integration for Query delay is 5 minutes.
    info
    Changing the Query delay may affect your SLI data. For more details, check the Query delay documentation.
  6. Enter a Maximum Period for Historical Data Retrieval.
    • This value defines how far back in the past your data will be retrieved when replaying your SLO based on this data source.
    • The maximum period value depends on the data source.
      Find the maximum value for your data source.
    • A greater period can extend the loading time when creating an SLO.
      • The value must be a positive integer.
  7. Enter a Default Period for Historical Data Retrieval.
    • It is used by SLOs connected to this data source.
    • The value must be a positive integer or 0.
    • By default, this value is set to 0. When you set it to >0, you will create SLOs with Replay.
  8. Click Add Data Source.

sloctl​

To connect the Splunk data source using the agent method, apply the following configuration using the sloctl apply -f command:

apiVersion: n9/v1alpha
kind: Agent
metadata:
name: my-splunk-data-source
displayName: My Splunk data source
project: my-project
spec:
description: Sample Splunk data source use agent connection
releaseChannel: stable
splunk:
url: https://{splunk.my-org}.com/services
historicalDataRetrieval:
maxDuration:
value: 30
unit: Day
defaultDuration:
value: 15
unit: Day
queryDelay:
value: 6
unit: Minute
FieldTypeDescription
queryDelay.unit
mandatory
enumSpecifies the unit for the query delay. Possible values: Second | Minute.
β€’ Check query delay documentation for default unit of query delay for each source.
queryDelay.value
mandatory
numericSpecifies the value for the query delay.
β€’ Must be a number less than 1440 minutes (24 hours).
β€’ Check query delay documentation for default unit of query delay for each source.
releaseChannel
mandatory
enumSpecifies the release channel. Accepted values: beta | stable.
Source-specific fields
splunk.URL
mandatory
stringBase API URL of the Splunk Search app. See authentication section above for more details.
Replay-related fields
historicalDataRetrieval
optional
n/aOptional structure related to configuration related to Replay.
❗ Use only with supported sources.
β€’ If omitted, Nobl9 uses the default values of value: 0 and unit: Day for maxDuration and defaultDuration.
maxDuration.value
optional
numericSpecifies the maximum duration for historical data retrieval. Must be integer β‰₯ 0. See Replay documentation for values of max duration per data source.
maxDuration.unit
optional
enumSpecifies the unit for the maximum duration of historical data retrieval. Accepted values: Minute | Hour | Day.
defaultDuration.value
optional
numericSpecifies the default duration for historical data retrieval. Must be integer β‰₯ 0 and ≀ maxDuration.
defaultDuration.unit
optional
enumSpecifies the unit for the default duration of historical data retrieval. Accepted values: Minute | Hour | Day.
warning

You can deploy only one agent in one YAML file by using the sloctl apply command.

Agent deployment​

When you add a data source, Nobl9 automatically generates a Kubernetes configuration and a Docker command line for you to deploy the agent. Both configurations are available on the Nobl9 Web under the data source details > Agent configuration tab.

Agent deployment requires client_id and client_secret. To retrieve their values, run sloctl get agents -p <YOUR_PROJECT_NAME> -k.

Replace the placeholders provided in the generated configuration files with your actual Splunk values.

Minimum agent versions for single-query ratio metrics
  • Feature support: 0.80.0 or 0.80.0-beta
  • Replay and SLI Analyzer support: 0.82.2 or 0.82.0-beta

If you use Kubernetes, you can apply the supplied YAML config file to a Kubernetes cluster to deploy the agent. It will look something like this:

apiVersion: v1
kind: Secret
metadata:
name: splunk-agent-data-source
namespace: my-namespace
type: Opaque
stringData:
splunk_app_token: "<SPLUNK_APP_TOKEN>"
splunk_user: "<SPLUNK_USERNAME>"
splunk_password: "<SPLUNK_PASSWORD>"
client_id: "<AGENT_CLIENT_ID>"
client_secret: "<AGENT_CLIENT_SECRET>"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: splunk-agent-data-source
namespace: my-namespace
spec:
replicas: 1
selector:
matchLabels:
nobl9-agent-name: "splunk"
nobl9-agent-project: "my-project"
nobl9-agent-organization: "my-organization"
template:
metadata:
labels:
nobl9-agent-name: "splunk"
nobl9-agent-project: "my-project"
nobl9-agent-organization: "nobl9-dev-stable"
spec:
containers:
- name: agent-container
image: nobl9/agent:0.88.0-beta
resources:
requests:
memory: "700Mi"
cpu: "0.2"
env:
- name: N9_CLIENT_ID
valueFrom:
secretKeyRef:
key: client_id
name: splunk-agent-data-source
- name: SPLUNK_APP_TOKEN
valueFrom:
secretKeyRef:
key: splunk_app_token
name: splunk-agent-data-source
- name: SPLUNK_USER
valueFrom:
secretKeyRef:
key: splunk_user
name: splunk-agent-data-source
- name: SPLUNK_PASSWORD
valueFrom:
secretKeyRef:
key: splunk_password
name: splunk-agent-data-source
- name: N9_INTAKE_URL
value: "<YOUR_VALUE>"
- name: N9_QUERYENGINE_URL
value: "<YOUR_VALUE>"
- name: N9_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client_secret
name: splunk-agent-data-source
- name: N9_AUTH_SERVER
value: "<YOUR_VALUE>"
- name: N9_OKTA_ORG_URL
value: "<YOUR_VALUE>"
- name: N9_METRICS_PORT
value: "9090"
- name: N9_NATS_URL
# A wss:// URL
value: "<YOUR_VALUE>"

Since agent version 0.65.3, the following environment variables are available for the Splunk integration:

- name: N9_SPLUNK_COLLECTION_JITTER
value: "15s" # Deafult: 15s
- name: N9_SPLUNK_QUERY_INTERVAL
value: "1m" # Default: 1m
- name: N9_SPLUNK_HTTP_CLIENT_TIMEOUT
value: "15s" # Default: 15s

Learn more about Query customization.

Creating SLOs with Splunk​

Nobl9 Web​

  1. Navigate to Service Level Objectives.

  2. Click .
  3. Select a Service.
    It will be the location for your SLO in Nobl9.

  4. Select Splunk as the data source for your SLO.

  5. Modify Period for Historical Data Retrieval, when necessary.
    • This value defines how far back in the past your data will be retrieved when replaying your SLO based on Splunk.
    • A longer period can extend the data loading time for your SLO.
    • Must be a positive whole number up to the maximum period value you've set when adding the Splunk data source.
  6. Select the Metric type:

    • Threshold Metric, where a single time series is evaluated against a threshold.

    • Ratio Metric, where you enter two time series for a good and total counter.

    • Ratio Metric, where you can select the query structure: Single query or Two queries.

      • Using the Single query option, you enter one query to compare both time series: for the good and total counters.

      • The Two queries option allows you to enter two time series to compareβ€”a count of good requests and total requests.

      For the ratio metrics, select the Data Count Method:

      • Non-incremental: counts incoming metric values one-by-one. So the resulting SLO graph is pike-shaped.
      • Incremental: counts the incoming metric values incrementally, adding every next value to previous values. It results in a constantly increasing SLO graph.

  7. Define the Query. It must be in the Splunk Search Processing Language and meet the following requirements:

    • Every query must contain n9 fields, and Splunk must return their values in the dataset:
    The required n9 values per metric type
    ThresholdTwo-query ratioSingle-query ratioDescription
    n9timen9timen9timeA Unix timestamp
    n9valuen9valuenot requiredFloat number
    not requirednot requiredn9goodFloat number
    not requirednot requiredn9totalFloat number
    • The query can retrieve data from either Events or Metrics Splunk indexes.

    • Nobl9 validates the queries to contain the respective n9 field along with index= with the value.

    • Dataset time ranges are segmented into 15-second chunks and aggregated as shown in the table:

      Dataset aggregation
      ThresholdRatio incrementalRatio non-incremental
      AverageMaximum valueSum of values

SLI values for good and total
When choosing the query for the ratio SLI (countMetrics), keep in mind that the values ​​resulting from that query for both good and total:
  • Must be positive.
  • While we recommend using integers, fractions are also acceptable.
    • If using fractions, we recommend them to be larger than 1e-4 = 0.0001.
  • Shouldn't be larger than 1e+20.
  1. Define the Time Window for your SLO:
  2. Configure the Error budget calculation method and Objectives:
    • Occurrences method counts good attempts against the count of total attempts.
    • Time Slices method measures how many good minutes were achieved (when a system operates within defined boundaries) during a time window.
    • You can define up to 12 objectives for an SLO.

    • Similar threshold values for objectives
      To use similar threshold values for different objectives in your SLO, we recommend differentiating them by setting varying decimal points for each objective.
      For example, if you want to use threshold value 1 for two objectives, set it to 1.0000001 for the first objective and to 1.0000002 for the second one.
      Learn more about threshold value uniqueness.
  3. Add the Display name, Name, and other settings for your SLO:
    • Name identifies your SLO in Nobl9. After you save the SLO, its name becomes read-only.
      Use only lowercase letters, numbers, and dashes.
    • Create Composite SLO: with this option selected, you create a composite SLO 1.0. Composite SLOs 1.0 are deprecated. They're fully operable; however, we encourage you to create new composite SLOs 2.0.
      You can create composite SLOs 2.0 with sloctl using the provided template. Alternatively, you can create a composite SLO 2.0 with Nobl9 Terraform provider.
    • Set Notifications on data. With it, Nobl9 will notify you in the cases when SLO won't be reporting data or report incomplete data for more than 15 minutes.
    • Add alert policies, labels, and links, if required.
      Up to 20 items of each type per SLO is allowed.
  4. Click CREATE SLO.

  5. SLO configuration use case
    Check the SLO configuration use case for a real-life SLO example.

sloctl​

Here’s an example of Splunk using a rawMetric (threshold metric):

- apiVersion: n9/v1alpha
kind: SLO
metadata:
name: my-splunk-threshold-slo
project: my-project
#displayName: My Splunk threshold SLO
#labels:
# area:
# - latency
# - slow-check
# team:
# - green
# - sales
#annotations:
# area: latency
# team: sales
spec:
#description: Sample Splunk threshold SLO
indicator:
metricSource:
name: splunk
project: my-project
kind: Agent
budgetingMethod: Occurrences
objectives:
- name: my-objective
#displayName: My objective (200)
value: 200.0
target: 0.95
rawMetric:
query:
splunk:
query: index=* source=udp:5072 sourcetype=syslog status<400 | bucket _time span=1m | stats avg(response_time) as n9value by _time | rename _time as n9time | fields n9time n9value
op: lte
primary: true
service: my-service
timeWindows:
- unit: Month
count: 1
isRolling: false
calendar:
startTime: 2022-12-01 00:00:00
timeZone: UTC
#alertPolicies:
# - my-alert-policy
#attachments:
# - url: https://my-url.com
# displayName: My URL
#anomalyConfig:
# noData:
# alertMethods:
# - name: my-alert-method
# project: my-project

Query tips, requirements, and samples​

  • For the best experience, keep query run time short enough to return results within 1–2 minutes. For example, when you query data for the last 15 minutes, the response should return within less than one minute.
    You can check query duration using Splunk's Search Job Inspector or learn quick tips for query optimization.

  • Agent version requirements for single-query ratio metrics

    NameStableBeta
    Single-query ratio metric0.80.00.80.0-beta
    Replay and SLI Analyzer0.82.20.82.0-beta
  • Every query must contain n9 fields, and Splunk must return their values in the dataset. The n9 fields are as follows:

    The required n9 values per metric type
    ThresholdTwo-query ratioSingle-query ratioDescription
    n9timen9timen9timeA Unix timestamp
    n9valuen9valuenot requiredFloat number
    not requirednot requiredn9goodFloat number
    not requirednot requiredn9totalFloat number

    Use Splunk field extractions to return values with the exact names. The n9time is the actual time, and the n9value, n9good, and n9total are metric values.

    Typically, you rename _time to n9time and the field containing metric values (for example, response_time)β€”to the n9value, n9good, or n9total.

    For example,

    index=myserver-events source=udp:5072 sourcetype=syslog response_time>0
    | rename _time as n9time, response_time as n9value
    | fields n9time n9value
    Query frequency

    The Splunk query is by default executed once per minute, returning the values found in the fields n9time and n9value. Ensure your hardware can support the query frequency or consider increasing the Query Interval.

  • The query can retrieve data from either Events or Metrics Splunk indexes.

    • Nobl9 validates the queries to contain the respective n9 field along with index= with the value.

    • Dataset time ranges are segmented into 15-second chunks and aggregated. The aggregation is as follows:

      Dataset aggregation
      ThresholdRatio incrementalRatio non-incremental
      AverageMaximum valueSum of values
  • The index attribute ("index=index_name") lets avoiding long-running queries.

    • The query can retrieve data from both the Events and Metrics indexes.
    • To retrieve Metrics data, use the | mstats command.
    • To retrieve data from the Events and Metrics indexes, enter the SPL query and select a proper index: index=_metrics or index=_events, where _metrics is the name of the metrics index, and _events is the name of the events index.
  • Sample query for the Events index:

search index=_events sourcetype=syslog status<400
| bucket _time span=1m
| stats count as n9value by _time
| rename _time as n9time
| fields n9time n9value
  • Sample query for the Metrics index:
| mstats avg("my.metric") as n9value WHERE index=_metrics span=15s
| rename _time as n9time
| fields n9time n9value
  • Sample single query for the Metrics index:
| mstats avg("spl.intr.resource_usage.IOWait.data.avg_cpu_pct") as n9good WHERE index="_metrics" span=15s
| join type=left _time [
| mstats avg("spl.intr.resource_usage.IOWait.data.max_cpus_pct") as n9total WHERE index="_metrics" span=15s]
| rename _time as n9time
| fields n9time n9good n9total

Querying Splunk server​

The Nobl9 agent leverages Splunk Enterprise API parameters. It pulls data at a per-minute interval from the Splunk server.

API rate limits for the Nobl9 agent​

Splunk Enterprise API rate limits are configured by its administrators. Rate limits must be high enough to accommodate searches from the Nobl9 agent. The Nobl9 agent makes one query per minute per unique query.

Read more in Maximum and actual search concurrency calculations | Splunk community.

Concurrent searches

For the best results, the number of concurrent searches must be about the same as the number of SLIs you have for this data source.

Number of events returned from Splunk queries​

Supported search SPL command searches within indexed events. The total number of events can be large, and a query without specific conditions, such as search sourcetype=*, returns all indexed events. A large number of data points sent to Nobl9 could disrupt the system’s performance. Therefore, there is a hard limit of 4 events per minute.

File-based queries and Splunk disk quota​

If you’re using file-based queries (the inputlookup function) instead of index-based queries, your query might not work as expected. Due to the difference in jitter configuration between Splunk and Nobl9, you might need to increase your Splunk disk quota for the inputlookup function to work properly.

To determine the appropriate disk quota size for your Splunk account, we recommend the following steps:

  1. Go to the Splunk UI and navigate to Activity > Jobs.
  2. Filter the logs by the user you currently use in Nobl9 App.
  3. Execute requests at 29-second intervals to gather all logs from the corresponding cycle.
  4. Sum the sizes of all requests from the list to determine the minimum disk quota. It is important to add a buffer to this number for safety.
  5. Once you have created more SLOs, adjust the disk quota accordingly.

We suggest increasing the quota to 2GB to resolve the issue. However, it’s important to note that the final disk quota size will depend on the data being queried.

Known limitations​

Query limitations:

For a more in-depth look, consult additional resources: