Splunk Search Listener

The Splunk Search Listener in the PilotFish eiConsole or eiPlatform is used to execute a saved or custom search against a running Splunk instance and starts a transaction with the search results.

Listener (Adapter) Configuration Drop-Down List

Basic Splunk Search Listener Configuration Options

The Basic tab contains the following configuration options:

• Search Query – this is where the search query is entered. When running a saved search, enter the name of the search. When running a custom search, enter the query string itself.
• Search Type – this designates the type of search to run, either Saved or Custom
• Polling Interval – how often to run the search and return results
• Results to Return – select the number of results to return from the search. To return all results, use the default value 0.
• Output Format – select the desired Format for the returned search data. Available options are XML, JSON, and CSV.

Splunk Search Listener Basic Configuration Options

Advanced Splunk Search Listener Configuration Options

The Advanced tab allows you to specify whether or not you should only run the Listener when it is triggered externally, and how many elements should be serialized.

Also, you can set the following options:

• Allow Command-Line Invocation – if enabled, the listener can be invoked using the CLI client application
• Restart on Listening Error – if enabled, the listener will be restarted after an error occurs
• FIFO Queue Name – the FIFO options enable a “First In, First Out” queuing mechanism between Listeners and Transports. If a FIFO Queue Name is provided, it will be used as a key for a transaction queue. Transactions will be written to this queue before they reach a Transport. The transactions in this queue will be ordered according to when they were created by the Listener.
• FIFO Queue Delay – this is the interval between updates or checks against that queue. Providing a queue name guarantees that a given Transport sends transactions in the same order that the Listener created them in.
• Use SSL – if SSL connection is desired, check this option
• SSL Protocol – The desired SSL protocol, defaults to TLSv1.2. There are two options TLSv1.1 or TLSv1.2.

Splunk Search Listener Advanced Configuration Options (top half of screen)

• Connect Timeout – how long to wait (in seconds) for a connection before timeout. 0 = unlimited
• Read Timeout – how long to wait in seconds) for a read response before timeout. 0 = unlimited

Splunk Search Listener Advanced Configuration Options (bottom half of screen)

Transaction Logging Splunk Search Listener Configuration Options

The Transaction Logging tab allows you to specify:

• Transaction Logging Enabled – if enabled, allows transaction events originating from this Listener to be logged by a TransactionEventListener
• Log Transaction Data – if enabled, logs transaction data body
• Log Transaction Data Base64 – if enabled, logs transaction data body as Base64
• Log Transaction Attributes – if enabled, logs transaction attributes
• Log All Attributes – if enabled, no attributes will be filtered
• Allowed Attributes –  attributes that are allowed to be logged

Splunk Search Listener Transaction Logging Configuration Options

Inactivity Splunk Search Listener Configuration Options

The Inactivity tab allows you to specify:

• Enable Inactivity Monitor – check this box to enable inactivity monitoring. This will throw a non-transaction exception if the specified number of transactions haven’t been processed in the specified time interval.
• Min. Transactions to Expect – the number of transactions to expect to be completed per monitoring interval
• Monitoring Interval – how often to check the specified number of transactions that have been processed
• Times to Monitor – if set, monitoring will be done during the defined times of the day. To ignore, set start and end time equally.
• Days to Exclude from Monitoring – inactivity monitoring will not occur on the days specified
• Include Errors in Transaction Count – if checked, transactions that attempted to start, but failed at the Listener stage, will also be counted

Splunk Search Listener Inactivity Configuration Options

Throttling Splunk Search Listener Configuration Options

The Throttling tab allows you to specify:

• Throttling Mode – the throttling mode to use for limiting the number of transactions or messages emitted by this Listener. “Timed” will limit transactions based on time intervals, while “Concurrent” will limit based on a concurrent number of transactions. “Concurrent” mode requires a Throttling Response Processor step later in your interface workflow to acknowledge completion.

Splunk Search Listener Throttling Mode

• Throttling Mechanism  – the mechanism to use for throttling messages. “Blocking” prevents the Listener from continuing to process and emit messages altogether, while “queued” pushes received messages into the interface queue or a default, in-memory queue.
• Max Concurrent Messages – how many messages can be concurrently processed, either by time-based limits (allow X per second) or synchronous (allow X at any time)
• Timed Emission Interval – the interval for time-based limits (allow X per X timed emission interval)
• Synchronous Timeout Interval – the interval to wait for a synchronous response before failing

Splunk Search Listener Throttling Configuration Options

Connection Splunk Search Listener Configuration Options

The Connection tab contains the following configuration options:

• Username – the username of the Splunk user to connect as
• Password – the Splunk user’s password
• Hostname – the hostname of the Splunk instance to connect to
• Connection Port – the Splunk instance connection port. The default value is 8089.

Splunk Search Listener Connection Configuration Options

Scheduling Splunk Search Listener Configuration Options

The Scheduling tab allows you to create a schedule for how often the chosen Listener should be run. You can easily modify the start time or end time.

• Scheduled Start Time – specify the scheduled start time. If left blank, the system will defer to the polling interval listed on the Basic tab.
• Scheduled End Time – specify the scheduled end time. If left blank, the system will defer to the polling interval listed on the Basic tab.
• Week Days to Exclude – specify days of the week to exclude from scheduling
• Dates to Exclude – specify specific dates to exclude from scheduling
• Time Zone – specify the Time Zone that should be used for scheduling. By default, it is set to the Time Zone of the eiConsole during the initial configuration.

To modify the scheduled start or end time, choose the three dots next to the corresponding line. You will receive a dialogue box that looks like this:

Splunk Search Listener Scheduling Configuration Options