Splunk is a software platform that allows you to search, monitor, and analyze machine-generated big data via a Web-style interface. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations.
The SmartStore feature provides a way to use remote object stores, such as Amazon S3, to store indexed data. By reducing reliance on local storage, SmartStore allows you to scale compute and storage resources separately, thus improving the efficiency of resource usage.
CORTX is a distributed object storage system designed for great efficiency, massive capacity, and high HDD-utilization. CORTX is 100% Open Source.
Because CORTX is S3 compatible we can use the storage system and the Splunk SmartStore feature to offload data to the object storage.
If you prefer your instructions in video check out this video on youtube.
Here's what you'll need:
- Data IP address
- Secret key
- Access Key
You will get the above information when you create an s3 account on your CORTX server. Please refer to the testing document here for more information on how to create an account and test it.
- When you create an account you will be shown a screen with your credentials like the one below.
- S3 Bucket: You will need to create an s3 bucket by logging into the CORTX management console and creating an s3 Bucket.
Please refer to the document here to configure a remote SmartStore store. However, the instructions below should suffice for configuring CORTX.
📃 Notes:
- The steps below apply to a single-indexer configuration.
- See Splunk documentation for more details about clustered indexers setup.
-
Configruing the remote s3 storage is done using an
indexes.conffile. You can find the local copy of this file in this location:$SPLUNK_HOME/etc/system/local -
You will need to add these lines to the
indexes.conffile.
📃 Note: The values for s3_BUCKET + ACCESS_KEY + SECRET_KEY + DATA_IP are from your s3 credentials/details.
[volume:s3]
storageType = remote
path = s3://<S3_BUCKET>
remote.s3.access_key = <ACCESS_KEY>
remote.s3.secret_key = <SECRET_KEY>
remote.s3.supports_versioning = false
remote.s3.endpoint = https://<DATA_IP>:443For example:
storageType = remote
path = s3://splunk
remote.s3.access_key = 2wuishXYQAe79w-1is75jw
remote.s3.secret_key = UtywncifcfOdTdSKVhsfs7w9xP51234BhJxmaJ14NAL
remote.s3.supports_versioning = false
remote.s3.endpoint = https://ssc-vm-0668.colo.seagate.com:443- In your splunk server navigate to
http://<SPLUNK_IP>:8000/en-US/manager/launcher/controland hit the "Restart Server" button.
There are a few ways we can validate the integration:
- Check the Smartstore Activity Instance Console
You should see that the Remote Storage Connectivity is ONLINE and there is Bucket Activity being uploaded to the remote s3 bucket
- Use an S3 client (eg. cyberduck) to connect to the S3 bucket and see that folders have been created and logs have been uploaded.
- Login to the CORTX Management Dashboard and verify that there is data being written
Our Developer Advocate, Justin Woo, walks us through integrating Splunk and CORTX. Splunk is a software platform that allows you to search, monitor, and analyze machine-generated big data via a web-style interface. Because CORTX is S3 compatible we can use the storage system and the Splunk SmartStore feature to offload data to the object storage. This short video walks through an integration a CORTX integration with Splunk.
