Skip to main content
Version: 1.0.0

Overview

info

Splunk, Splunk>, Turn Data Into Doing, and Data-to-Everything are trademarks or registered trademarks of Splunk Inc. in the United States and other countries.

Elastic and associated marks are trademarks or registered trademarks of Elastic N.V. and its subsidiaries. All other company and product names may be trademarks of their respective owners.

Splunk Supporting Add-on for Elastic Search (ElasticSPL)

Splunk Supporting Add-on for Elastic Search (ElasticSPL) provides a straightforward way of querying data stored in Elastic Search from Splunk using custom Splunk commands.

ElasticSPL provides the following functionality to Splunk users:

  • Query Elastic Search in an ad-hoc fashion using DSL search statements for time-series data using elasticadhoc and elasticquery
  • Query Elastic Search in an ad-hoc fashion using DSL search statements for aggregated data using elasticadhocstats and elasticquerystats
  • Save DSL queries and share them with other users
  • Configure DSL queries to manage timestamps based on defined field names automatically
  • Configure DSL queries with replacements to adapt queries to the current requirement on the fly
  • Create DSL queries and preview results using an interactive explorer dashboard

In addition, ElasticSPL provides an admin section that allows the management of multiple Elastic Search instances and saved queries. Finally, a comprehensive access control system based on Splunk capabilities and roles allows for granular access control from Splunk to Elastic Search.

Elastic Search Requirements

ElasticSPL supports the following Elasticsearch versions and distribution with some limitations:

VersionAuthentication MethodCertificate MethodClient Version
Elasticsearch 8Basic or API KeyFingerprint or CA certificate8.2.3
Elasticsearch 7Basic or API KeyFingerprint or CA certificate7.13.4
Elasticsearch 6BasicNone, Fingerprint or CA certificate6.8.2
OpenDistroBasicNone, Fingerprint or CA certificate7.13.4
OpenSearchBasicNone, Fingerprint or CA certificateElasticsearch 7.13.4 or OpenSearch 2.0.0
Cluster Functionality

Multiple nodes are only supported while using CA certificate. ElasticSPL is still able to query an Elasticsearch cluster while using certificate fingerprints but will always communicate with the same cluster node and not perform round-robin.

You need the following information from your Elastic Search Administrator for ElasticSPL to connect to Elasticsearch successfully:

InformationDescriptionExample
URLOne or many Elastic Search instances. Multiple instances are only supported when a certificate is usedhttps://es.corp.com:9200
API IDAPI ID of the API key to be used. Make sure that the user for which the API information is valid for has access to all required data
API KEYAPI Key of the API key to be used
UsernameUsername of a User available in Elasticsearch with access to the required data
PasswordPassword for the Username provided
CA CertificateThis is required for the server to be trusted if the certificate is not signed by a CA available in certifi
Certificate FingerprintThe fingerprint of the certificate provided by the URL40c90360e239cb6b426164594d2118d5b3b57d6b
Certificate Fingerprint

To extract the fingerprint from of a certificate using a UNIX system, run the following oneliner:

openssl s_client -connect <URL> | openssl x509 -noout -fingerprint

Remove all : and convert the fingerprint to lowercase before configuring the instance

Alternatively the certificate fingerprint is available in the certificate details when connection using a browser to the Elasticsearch port