Overview
Splunk, Splunk>, Turn Data Into Doing, and Data-to-Everything are trademarks or registered trademarks of Splunk Inc. in the United States and other countries.
Elastic and associated marks are trademarks or registered trademarks of Elastic N.V. and its subsidiaries. All other company and product names may be trademarks of their respective owners.
Splunk Supporting Add-on for Elasticsearch (ElasticSPL) provides a straightforward way of querying data stored in Elasticsearch from Splunk using custom Splunk commands.
ElasticSPL provides the following functionality to Splunk users:
- Query Elasticsearch in an ad-hoc fashion using DSL or Lucene search statements for time-series data using
elasticadhocandelasticquery - Query Elasticsearch in an ad-hoc fashion using DSL search statements for aggregated data using
elasticadhocstatsandelasticquerystats - Save DSL or Lucene queries and share them with other users
- Configure DSL or Lucene queries to manage timestamps based on defined field names automatically
- Configure DSL or Lucene queries with replacements to adapt queries to the current requirement on the fly
- Create DSL or Lucene queries and preview results using an interactive explorer dashboard
In addition, ElasticSPL provides an admin section that allows the management of multiple Elasticsearch instances and saved queries. Finally, a comprehensive access control system based on Splunk capabilities and roles allows for granular access control from Splunk to Elasticsearch.
Elasticsearch
ElasticSPL supports the following Elasticsearch versions and distribution with some limitations:
| Version | Basic Auth | API Key | CA Cert | Certificate Fingerprint |
|---|---|---|---|---|
| Elasticsearch 8 | ✔️ | ✔️ | ✔️ | ✔️ limited to a single node |
| Elasticsearch 7 | ✔️ | ✔️ | ✔️ | ✔️ limited to a single node |
| Elasticsearch 6 | ✔️ | ❌ | ✔️ | ✔️ limited to a single node |
| Opensearch | ✔️ | ❌ | ✔️ | ✔️ limited to a single node |
| Opendistro | ✔️ | ❌ | ✔️ | ✔️ limited to a single node |
Multiple nodes are only supported while using CA certificate. ElasticSPL is still able to query an Elasticsearch cluster while using certificate fingerprints but will always communicate with the same cluster node and not select a random node.
You need the following information from your Elasticsearch Administrator for ElasticSPL to connect to Elasticsearch successfully:
| Information | Description | Example |
|---|---|---|
| URL | One or many Elasticsearch instances. Multiple instances are only supported when a certificate is used | https://es.corp.com:9200 |
| API ID | API ID of the API key to be used. Make sure that the user for which the API information is valid for has access to all required data | |
| API KEY | API Key of the API key to be used | |
| Username | Username of a User available in Elasticsearch with access to the required data | |
| Password | Password for the Username provided | |
| CA Certificate | This is required for the server to be trusted if the certificate is not signed by a CA available in certifi | |
| Certificate Fingerprint | The fingerprint of the certificate provided by the URL | 40c90360e239cb6b426164594d2118d5b3b57d6b |
| Proxy URL | The URL of a http or htttps proxy required for communication with the Elasticsearch servers | https://proxy.corp.com:3128 |
| Proxy Username | If the proxy enforces authentication Basic Auth is configurable | |
| Proxy Password | If the proxy enforces authentication Basic Auth is configurable | |
| Proxy CA cert | If a SSL connection from ElasticSPL to the a proxy server should be established and verified, the CA certifica of the certificate that is installed on the proxy can be configured |
To extract the fingerprint from a certificate using a UNIX system, run the following oneliner:
openssl s_client -connect <URL> | openssl x509 -noout -fingerprint
Remove all : and convert the fingerprint to lowercase before configuring the instance. Alternatively, the certificate fingerprint is available in the certificate details when connecting using a browser to the Elasticsearch port
- ElasticSPL does not support the configuration of fingerprints for proxy servers.
- If used with a proxy performing SSL interception, fingerprints will not work as the certificate seen by ElasticSPL are generated on the fly by the proxy server. Use the signing CA configured on the proxy for validation.