Skip to main content
Version: 1.0.0

Overview

info

Splunk, Splunk>, Turn Data Into Doing, and Data-to-Everything are trademarks or registered trademarks of Splunk Inc. in the United States and other countries.

Elastic and associated marks are trademarks or registered trademarks of Elastic N.V. and its subsidiaries. All other company and product names may be trademarks of their respective owners.

Splunk Supporting Add-on for Elasticsearch (ElasticSPL)

Splunk Supporting Add-on for Elasticsearch (ElasticSPL) provides a straightforward way of querying data stored in Elasticsearch from Splunk using custom Splunk commands.

ElasticSPL provides the following functionality to Splunk users:

  • Query Elasticsearch in an ad-hoc fashion using DSL or Lucene search statements for time-series data using elasticadhoc and elasticquery
  • Query Elasticsearch in an ad-hoc fashion using DSL search statements for aggregated data using elasticadhocstats and elasticquerystats
  • Save DSL or Lucene queries and share them with other users
  • Configure DSL or Lucene queries to manage timestamps based on defined field names automatically
  • Configure DSL or Lucene queries with replacements to adapt queries to the current requirement on the fly
  • Create DSL or Lucene queries and preview results using an interactive explorer dashboard

In addition, ElasticSPL provides an admin section that allows the management of multiple Elasticsearch instances and saved queries. Finally, a comprehensive access control system based on Splunk capabilities and roles allows for granular access control from Splunk to Elasticsearch.

Elasticsearch Requirements

ElasticSPL supports the following Elasticsearch versions and distribution with some limitations:

VersionAuthentication MethodCertificate Method
Elasticsearch 8Basic or API KeyNone, Fingerprint or CA certificate
Elasticsearch 7Basic or API KeyNone, Fingerprint or CA certificate
Elasticsearch 6BasicNone, Fingerprint or CA certificate
OpenDistroBasicNone, Fingerprint or CA certificate
OpenSearchBasicNone, Fingerprint or CA certificate
Cluster Functionality

Multiple nodes are only supported while using CA certificate. ElasticSPL is still able to query an Elasticsearch cluster while using certificate fingerprints but will always communicate with the same cluster node and not select a random node.

You need the following information from your Elasticsearch Administrator for ElasticSPL to connect to Elasticsearch successfully:

InformationDescriptionExample
URLOne or many Elasticsearch instances. Multiple instances are only supported when a certificate is usedhttps://es.corp.com:9200
API IDAPI ID of the API key to be used. Make sure that the user for which the API information is valid for has access to all required data
API KEYAPI Key of the API key to be used
UsernameUsername of a User available in Elasticsearch with access to the required data
PasswordPassword for the Username provided
CA CertificateThis is required for the server to be trusted if the certificate is not signed by a CA available in certifi
Certificate FingerprintThe fingerprint of the certificate provided by the URL40c90360e239cb6b426164594d2118d5b3b57d6b
Proxy URLThe URL of a http or htttps proxy required for communication with the Elasticsearch servershttps://proxy.corp.com:3128
Proxy UsernameIf the proxy enforces authentication Basic Auth is configurable
Proxy PasswordIf the proxy enforces authentication Basic Auth is configurable
Proxy CA certIf a SSL connection from ElasticSPL to the a proxy server should be established and verified, the CA certifica of the certificate that is installed on the proxy can be configured
Certificate Fingerprints, Proxy Certificate Fingerprint & SSL Interception

To extract the fingerprint from a certificate using a UNIX system, run the following oneliner:

openssl s_client -connect <URL> | openssl x509 -noout -fingerprint

Remove all : and convert the fingerprint to lowercase before configuring the instance. Alternatively, the certificate fingerprint is available in the certificate details when connecting using a browser to the Elasticsearch port

  • ElasticSPL does not support the configuration of fingerprints for proxy servers.
  • If used with a proxy performing SSL interception, fingerprints will not work as the certificate seen by ElasticSPL are generated on the fly by the proxy server. Use the signing CA configured on the proxy for validation.