Google Cloud Stackdriver and Splunk Integration

Input and output integration overview

This plugin enables the collection of monitoring data from Google Cloud services through the Stackdriver Monitoring API. It is designed to help users monitor their cloud infrastructure’s performance and health by gathering relevant metrics.

This output plugin facilitates direct streaming of Telegraf collected metrics into Splunk via the HTTP Event Collector, enabling easy integration with Splunk’s powerful analytics platform.

Integration details

Google Cloud Stackdriver

The Stackdriver Telegraf plugin allows users to query timeseries data from Google Cloud Monitoring using the Cloud Monitoring API v3. With this plugin, users can easily integrate Google Cloud monitoring metrics into their monitoring stacks. This API provides a wealth of insights about resources and applications running in Google Cloud, including performance, uptime, and operational metrics. The plugin supports various configuration options to filter and refine the data retrieved, enabling users to customize their monitoring setup according to their specific needs. This integration facilitates a smoother experience in maintaining the health and performance of cloud resources and assists teams in making data-driven decisions based on historical and current performance statistics.

Splunk

Use Telegraf to easily collect and aggregate metrics from many different sources and send them to Splunk. Utilizing the HTTP output plugin combined with the specialized Splunk metrics serializer, this configuration ensures efficient data ingestion into Splunk’s metrics indexes. The HEC is an advanced mechanism provided by Splunk designed to reliably collect data at scale via HTTP or HTTPS, providing critical capabilities for security, monitoring, and analytics workloads. Telegraf’s integration with Splunk HEC streamlines operations by leveraging standard HTTP protocols, built-in authentication, and structured data serialization, optimizing metrics ingestion and enabling immediate actionable insights.

Configuration

Google Cloud Stackdriver

[[inputs.stackdriver]]
  ## GCP Project
  project = "erudite-bloom-151019"

  ## Include timeseries that start with the given metric type.
  metric_type_prefix_include = [
    "compute.googleapis.com/",
  ]

  ## Exclude timeseries that start with the given metric type.
  # metric_type_prefix_exclude = []

  ## Most metrics are updated no more than once per minute; it is recommended
  ## to override the agent level interval with a value of 1m or greater.
  interval = "1m"

  ## Maximum number of API calls to make per second.  The quota for accounts
  ## varies, it can be viewed on the API dashboard:
  ##   https://cloud.google.com/monitoring/quotas#quotas_and_limits
  # rate_limit = 14

  ## The delay and window options control the number of points selected on
  ## each gather.  When set, metrics are gathered between:
  ##   start: now() - delay - window
  ##   end:   now() - delay
  #
  ## Collection delay; if set too low metrics may not yet be available.
  # delay = "5m"
  #
  ## If unset, the window will start at 1m and be updated dynamically to span
  ## the time between calls (approximately the length of the plugin interval).
  # window = "1m"

  ## TTL for cached list of metric types.  This is the maximum amount of time
  ## it may take to discover new metrics.
  # cache_ttl = "1h"

  ## If true, raw bucket counts are collected for distribution value types.
  ## For a more lightweight collection, you may wish to disable and use
  ## distribution_aggregation_aligners instead.
  # gather_raw_distribution_buckets = true

  ## Aggregate functions to be used for metrics whose value type is
  ## distribution.  These aggregate values are recorded in in addition to raw
  ## bucket counts; if they are enabled.
  ##
  ## For a list of aligner strings see:
  ##   https://cloud.google.com/monitoring/api/ref_v3/rpc/google.monitoring.v3#aligner
  # distribution_aggregation_aligners = [
  #  "ALIGN_PERCENTILE_99",
  #  "ALIGN_PERCENTILE_95",
  #  "ALIGN_PERCENTILE_50",
  # ]

  ## Filters can be added to reduce the number of time series matched.  All
  ## functions are supported: starts_with, ends_with, has_substring, and
  ## one_of.  Only the '=' operator is supported.
  ##
  ## The logical operators when combining filters are defined statically using
  ## the following values:
  ##   filter ::=  {AND  AND  AND }
  ##   resource_labels ::=  {OR }
  ##   metric_labels ::=  {OR }
  ##   user_labels ::=  {OR }
  ##   system_labels ::=  {OR }
  ##
  ## For more details, see https://cloud.google.com/monitoring/api/v3/filters
  #
  ## Resource labels refine the time series selection with the following expression:
  ##   resource.labels. = 
  # [[inputs.stackdriver.filter.resource_labels]]
  #   key = "instance_name"
  #   value = 'starts_with("localhost")'
  #
  ## Metric labels refine the time series selection with the following expression:
  ##   metric.labels. = 
  #  [[inputs.stackdriver.filter.metric_labels]]
  #    key = "device_name"
  #    value = 'one_of("sda", "sdb")'
  #
  ## User labels refine the time series selection with the following expression:
  ##   metadata.user_labels."" = 
  #  [[inputs.stackdriver.filter.user_labels]]
  #    key = "environment"
  #    value = 'one_of("prod", "staging")'
  #
  ## System labels refine the time series selection with the following expression:
  ##   metadata.system_labels."" = 
  #  [[inputs.stackdriver.filter.system_labels]]
  #    key = "machine_type"
  #    value = 'starts_with("e2-")'
</code></pre>

Splunk

[[outputs.http]]
  ## Splunk HTTP Event Collector endpoint
  url = "https://splunk.example.com:8088/services/collector"

  ## HTTP method to use
  method = "POST"

  ## Splunk authentication token
  headers = {"Authorization" = "Splunk YOUR_SPLUNK_HEC_TOKEN"}

  ## Serializer for formatting metrics specifically for Splunk
  data_format = "splunkmetric"

  ## Optional parameters
  # timeout = "5s"
  # insecure_skip_verify = false
  # tls_ca = "/path/to/ca.pem"
  # tls_cert = "/path/to/cert.pem"
  # tls_key = "/path/to/key.pem"

Input and output integration examples

Google Cloud Stackdriver

1. Integrating Cloud Metrics into Custom Dashboards: With this plugin, teams can funnel metrics from Google Cloud into personalized dashboards, allowing for real-time monitoring of application performance and resource utilization. By customizing the visual representation of cloud metrics, operations teams can easily identify trends and anomalies, enabling proactive management before issues escalate.

2. Automated Alerts and Analysis: Users can set up automated alerting mechanisms leveraging the plugin’s metrics to track resource thresholds. This capability allows teams to act swiftly in response to performance degradation or outages by providing immediate notifications, thus reducing the mean time to recovery and ensuring continued operational efficiency.

3. Cross-Platform Resource Comparison: The plugin can be used to draw metrics from various Google Cloud services and compare them with on-premise resources. This cross-platform visibility helps organizations make informed decisions about resource allocation and scaling strategies, as well as optimize cloud spending versus on-premise infrastructure.

4. Historical Data Analysis for Capacity Planning: By collecting historical metrics over time, the plugin empowers teams to conduct thorough capacity planning. Understanding past performance trends facilitates accurate forecasting for resource needs, leading to better budgeting and investment strategies.

Splunk

1. Real-Time Security Analytics: Utilize this plugin to stream security-related metrics from various applications into Splunk in real-time. Organizations can detect threats instantly by correlating data streams across systems, significantly reducing detection and response times.

2. Multi-Cloud Infrastructure Monitoring: Integrate Telegraf to consolidate metrics from multi-cloud environments directly into Splunk, enabling comprehensive visibility and operational intelligence. This unified monitoring allows teams to detect performance issues quickly and streamline cloud resource management.

3. Dynamic Capacity Planning: Deploy the plugin to continuously push resource metrics from container orchestration platforms (like Kubernetes) into Splunk. Leveraging Splunk’s analytics capabilities, teams can automate predictive scaling and resource allocation, avoiding resource bottlenecks and minimizing costs.

4. Automated Incident Response Workflows: Combine this plugin with Splunk’s alerting system to create automated incident response workflows. Metrics collected by Telegraf trigger real-time alerts and automated remediation scripts, ensuring rapid resolution and maintaining high system availability.

Feedback

Thank you for being part of our community! If you have any general feedback or found any bugs on these pages, we welcome and encourage your input. Please submit your feedback in the InfluxDB community Slack.