Splunk Log Publisher with iRule HSL
Hi,
I'm having some difficulty understanding the relationship between the HSL iRule commands and formatted log publishers (Splunk, in this case) in 11.5.1. Sorry if the formatting isn't what the community expects - I'm fairly new to this ecosystem.
Setup-
One node called "splunk-universal-forwarder" running a Splunk universal forwarder listening on 9996/tcp.
-
A pool called "remote-logging-pool" with the splunk-universal-forwarder node listening on 9996/tcp.
-
Log Destination "splunk-rhsl" of type Remote HSL pointed at the remote-logging-pool over TCP.
-
Log Destination "splunk-formatted" of type "Splunk" forwarding to "splunk-rhsl"
-
Log Publisher "splunk-publisher" pointing at the splunk-formatted destination.
-
Log Publisher "rhsl-publisher" pointing at the splunk-rhsl destination.
-
A virtual server backed by a pool with a single node serving up content http://10.1.1.2 (the IP address is irrelevant for this question).
Given the iRule:
when CLIENT_ACCEPTED {
set hsl [HSL::open -publisher /tst/splunk-publisher]
set hsl [HSL::open -proto TCP -pool remote-logging-pool]
set hsl [HSL::open -publisher /tst/Rhsl-publisher]
}
when HTTP_REQUEST {
HSL::send $hsl "<190>|[IP::local_addr]|[HTTP::uri]\n"
}
The bottom two
set
statements in the when CLIENT_ACCEPTED
command result in a messaging going successfully to the Splunk forwarder.
The first
set
statement results in no messages going to the Splunk forwarder.
Questions
- Are HSL commands in iRules unable to use formatted publishers?
- What exactly does a formatted publisher do? It seems like it would write data to the remote receiver in a format that particular receiver expects, but I haven't found a lot of documentation on this yet.
- Is there an interactive way to generate dummy log events to send to different destinations and publishers to see what the effect is on remote receiver?
Thanks for your help!