Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Corvil for Splunk
MD5 checksum (corvil-for-splunk_103.tgz) b86982ba299e89d8200cfc99e47b9bd2
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Corvil for Splunk

Overview
Details
The Corvil Add-on for Splunk streams Corvil analytics for IT operations, network and application performance into Splunk. The add-on connects to an existing Corvil deployment. Corvil analytics are derived from real-time analysis of network traffic - a privileged source of data that delivers information about what actually happens and not just what software and servers choose to report. Corvil Streams produce summaries of key events and transform them into actionable data.

Taking the Corvil data into Splunk brings the flexibility and power of Splunk’s indexing, search and dashboards to bear on this rich data stream - allowing high-level reporting, ad-hoc troubleshooting, and correlation with data from other systems’ logs.

For more information about what Corvil is doing with network data see www.corvil.com

Table of Contents

OVERVIEW

  • About the Corvil add-on for Splunk
  • Release notes
  • Support and resources

DEPLOYMENT

  • Hardware and software requirements
  • Installation

USER GUIDE

  • Preparing Corvil for streaming to Splunk
  • Configuring the Corvil add-on for Splunk
  • Data types
  • Lookups

OVERVIEW

About the Corvil add-on for Splunk

  • Author Corvil Connectors
  • App Version 1.0.3
  • Vendor Products Corvil Giga, Corvil Giga+, Corvil Tera, Corvil Tera+
  • System Requirements Java Runtime Environment (v1.6 or later) installed on the Splunk Enterprise host

The Corvil add-on for Splunk allows a Splunk® Enterprise administrator to stream Corvil analytics for IT operations, network and application performance into Splunk. The add-on provides a modular input that connects to an existing Corvil deployment. Corvil analytics are derived from real-time analysis of network traffic - a privileged source of data that delivers information about what actually happens and not just what software and servers choose to report. Corvil Analytics Streams produce summaries of key events and transform them into actionable data.

Taking the Corvil data into Splunk brings the flexibility and power of Splunk’s indexing, search and dashboards to bear on this rich data stream - allowing high-level reporting, ad-hoc troubleshooting, and correlation with data from other systems’ logs.

For more information about what Corvil is doing with network data see www.corvil.com.

Scripts and binaries

The Corvil add-on for Splunk includes the following binaries:

  • Corvil/lib/splunk-1.0.1.jar: Splunk-related binaries for the Corvil add-on
  • Corvil/lib/org.apache.sling.commons.json-2.0.10.jar: dependency for JSON formatting
  • Corvil/lib/commons-codec-1.10.jar: dependency for binary fields support
  • Corvil/lib/connector.jar: common binaries for the Corvil add-on
  • Corvil/lib/protobuf-java-2.6.1.jar: dependency for analytic stream decoding
  • Corvil/bin/corvil: init script for Linux
  • Corvil/bin/corvil.bat: init script for Windows
  • Corvil/bin/CorvilConnectors-1608.0.1-JRE-1.7-splunk.spl
  • Corvil/bin/CorvilConnectors-1608.0.1-JRE-1.6-splunk.spl

Release notes

About this release

Version 1.0.3 of the Corvil add-on for Splunk is compatible with:

  • Splunk Enterprise versions 6.3, 6.2, 6.1
  • Platforms Platform independent
  • Vendor Products Corvil Giga, Corvil Giga+, Corvil Tera and Corvil Tera+
  • System Requirements Java Runtime Environment (v1.6 or later) installed on the Splunk Enterprise host
What’s New in This Release

Version 1.0.3 of the Corvil add-on for Splunk includes the following new features:
Special characters: Special characters in Corvil Appliance’s password are now supported.
Timestamp changes: The timestamp is split into 2 fields: timestamp and timestampNs. The timestamp field contains the microseconds part of the timestamp, and timestampNs contains the nanoseconds part of the timestamp.

Fixed issues

Version 1.0.3 of the Corvil add-on for Splunk fixes the following issues:

  • Formatting bug in the JSON output from the modular input
Third-party software attributions

Version 1.0.3 of the Corvil add-on for Splunk incorporates the following third-party software or libraries: Google Protobuf, Apache commons codec, and Apache Sling commons JSON

Support and resources

Contacting Customer Support

If you need support for Corvil products, then Corvil Support can be contacted Monday to Friday between 9:00 and 17:00 GMT. Corvil customers with a standard contract will be ensured of a response within 24 hours and have access to a portal where support tickets can be tracked.

  • e-mail: support@corvil.com
  • USA/Canada Toll Free: 1800 673 3185
  • UK Freephone: 0800 066 4799
  • International: +353 1 859 1010

DEPLOYMENT

Hardware and software requirements

Hardware requirements

The Corvil add-on for Splunk supports the following server platforms in the versions supported by Splunk Enterprise:

  • Linux
  • Microsoft Windows

Software requirements

To function properly, the Corvil add-on for Splunk requires the following software:

  • Corvil Giga, Giga+, Tera or Tera+ installed on a Corvil appliance
  • Java runtime Environment (version 1.6 or later) installed on the Splunk Enterprise host

Splunk Enterprise system requirements

Because the Corvil add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

The Corvil add-on for Splunk can be installed directly from within your Splunk Enterprise admin interface, or downloaded from https://splunkbase.splunk.com/app/2725/ and then uploaded to your Splunk Enterprise. Both approaches are described below.

Installation

This section describes how to install the Corvil add-on in your Splunk Enterprise deployment. Details of how to configure and use it are covered in the User Guide below.

There are two ways to download and install the Corvil add-on, depending on whether your Splunk enterprise host has connectivity to the Splunk app and add-on market place at splunkbase.splunk.com:

  • Direct installation from Splunkbase
  • Download and manual installation

We’ll look at these in more detail in the following sections.

Deploy to single server instance

Follow these steps to install the add-on in a single server instance of Splunk Enterprise:

Direct installation from Splunkbase

If your Splunk Enterprise host has the appropriate connectivity, you can install the Corvil add-on directly from Splunkbase:

  1. Log in to Splunk Enterprise.
  2. Depending on your Splunk Enterprise version:

    • If you are using Splunk Enterprise 6.3, open the Apps menu and select Browse more Apps
    • If you are using Splunk Enterprise 6.2, open the Explore Splunk Enterprise panel and click Splunk Apps
    • If you are using Splunk Enterprise 6.1, from the Apps menu select Find more apps.
  3. On that page, search for Corvil. The Corvil for Splunk add-on should display.

  4. Click Install free.
  5. On the Install app page:

    • Review the license terms and conditions and check the check box
    • Enter your splunk.com username and password (not your Splunk Enterprise username and password)
    • Click Login.

The Corvil data source can now be used to route a Corvil Analytics Stream into Splunk.

Download and manual installation

If your Splunk Enterprise host deployment does not have direct connectivity to splunkbase.splunk.com, you can download the Corvil add-on from the link above and then manually install the add-on from within Splunk Enterprise.

  1. Log in to Splunk Enterprise.
  2. Depending on your Splunk Enterprise version:
    • Using Splunk Enterprise 6.3, click the Apps gear icon
    • Using Splunk Enterprise 6.2, click the Manage Apps link
    • Using Splunk Enterprise 6.1, select Manage Apps from the Apps menu.
  3. Select Install app from file, navigate to the downloaded Corvil add-on file, select it and click Open.
  4. With the Corvil add-on file selected, click Upload.

The Corvil data source can now be used to route a Corvil Analytics Stream into Splunk.

Deploy to distributed deployment

The Corvil add-on for Splunk is only installed on indexers or forwarders:

  • The installation process for an indexer is the same as for the single server case.
  • Forwarders do not provide a GUI interface that can be used for managing add-ons. The add-on can be installed on the forwarder using the $SPLUNK_HOME/bin/splunk install app command. Alternatively, it can be installed via a set of manual steps:

    1. Download and unpack the .tgz package from Splunkbase
    2. Move the resulting Corvil directory into the $SPLUNK_HOME/etc/apps directory on your forwarder
    3. Restart the forwarder

Deploy to Splunk Cloud

The Corvil add-on for Splunk is not currently supported in Splunk Cloud.


USER GUIDE

The add-on provides a new type of Splunk modular input that feeds data from a Corvil Analytics Stream into Splunk. Multiple Corvil inputs can be configured, if required, connecting to multiple streams.

Splunk ensures that any Corvil inputs are started once Splunk itself starts. If a Corvil input loses the network connection to the Corvil appliance or the publishing of the Corvil Analytics Stream is halted, the input will attempt to reconnect every 10 seconds.

Preparing Corvil for Streaming to Splunk

The Corvil Network Data Analytics appliance passively taps into network data and automatically discovers, decodes and reconstructs all details of application and business data flows. Streaming Corvil analytics into Splunk requires setting up and publishing Corvil Analytics Streams on one or more Corvil appliances depending on your deployment. The Corvil Analytics Streams publisher enables you to route valuable network data analytics into Splunk using the Corvil Splunk add-on, making it available for real-time analysis and data mining over longer timescales.

For more information on configuring Corvil Analytics Streams on Corvil appliances, please consult the Corvil User Guide.

Configuring the Corvil add-on for Splunk

To configure the Corvil add-on as a modular input for Splunk Enterprise:

  1. Log in to Splunk Enterprise.
  2. From the Settings menu select Data Inputs. On the Data Inputs page, the Corvil add-on is listed as Corvil Connector.
  3. Click Add new.
  4. Complete the Add Data form (Splunk Enterprise 6.3 and 6.2) or the Add new form (Splunk Enterprise 6.1). The optional configuration settings are documented below and the mandatory settings are:
    • Input Name Specify the name for the Splunk data input
    • CNE address Specify the hostname or IP address of the CNE publishing the Corvil Analytics Stream
    • CNE Port Specify the port number of the Web Services API on the CNE publishing the Corvil Analytics Stream (Default: 5101)
    • Username/Password Specify the Web Services API login credentials on the CNE publishing the Corvil Stream (The default username is monitor)
    • Analytics Stream Name Specify the name of the Corvil Analytics Stream of interest
  5. When using Splunk Enterprise 6.3 or 6.2, click Next. When using Splunk Enterprise 6.1, click Save.

The form is validated and when it successfully saves, the new Corvil input will connect to the CNE and start streaming data into Splunk. Any validation error is reported on the page. Additional error information, if required, can be found in var/log/splunk/splunkd.log

Note: If addition of the Corvil input fails, check that Java (JRE 1.6 or later) is installed on your Splunk Enterprise host.

Optional configuration settings

  • Event Types Specify the names of the event types of interest as defined in the Corvil Analytics Stream. Multiple event types can be specified as a comma-separated list without whitespace (Default: the field is blank, which publishes all events)
  • Include Heartbeats Check the box to include Heartbeat messages with Corvil Analytics Stream events (Default: unchecked)
  • Only Include Events in Violation Check the box to specify that only events that violate the thresholds defined in network service objectives on the CNE should be retrieved (Default: unchecked)
  • Include links to the Corvil appliance Check the box to include links to the Corvil Appliance in each event (message-url must be enabled on the appliance)
  • Suppressed Fields Multiple field names to be suppressed can be specified as a comma-separated list without whitespace (Default: the field is blank, which publishes all the fields)

Some less frequently used options are available under More Settings:

  • Set the source type Tell Splunk what kind of data this is so you can group it with other data of the same type when you search. When this is set to automatic, Splunk classifies and assigns the sourcetype automatically, and gives unknown sourcetypes placeholder names. You can manually force the source type to 'corvil' rather than rely on auto-detection.
  • Index Set the destination index for streamed events for this source
  • Rate-Limit Set a rate-limiter preventing the Corvil add-on from sending more than Rate-Limit-Count messages over a period of Rate-Limit-Period seconds, (events violating the limiter are ignored). Zero (0) in either of the fields disables the limiter.

Configuring the input on a Splunk forwarder

Since the Splunk forwarder does not offer a GUI for managing add-ons, the configuration needs to be done by directly editing the inputs.conf file:

  • Copy $SPLUNK_HOME/etc/apps/Corvil/default/inputs.conf to $SPLUNK_HOME/etc/apps/Corvil/local/inputs.conf
  • Edit $SPLUNK_HOME/etc/apps/Corvil/local/inputs.conf to configure one or more inputs. The copy of inputs.conf in default shows the possible options.
  • Each configured input has its own stanza starting with a line that names a new input [corvil://db-stream] followed by disabled = 0 and the input’s parameters - identical to the list above. For example

> [corvil://test]

> sourcetype = corvil

> disabled = 0

> Hostname = corvil1

> Port-Number = 5101

> ...

  • Restart: $SPLUNK_HOME/bin/splunk restart

Data types

The Corvil add-on for Splunk defines a "corvil" source type, which is JSON-formatted data with mandatory fields (for example, timestamp and eventID).

Lookups

The Corvil add-on for Splunk contains no lookup files.


Copyright © 2015 Corvil Limited. All rights reserved.

This document contains confidential information of Corvil Limited ("Corvil") and is furnished in confidence. The contents of this document are protected by copyright, trademark and other intellectual property laws, under national laws and international treaties. No part of this document may be copied, reproduced, stored or transmitted, in any form or by any means, electronic, mechanical or otherwise, for any purpose, including without limitation the purposes of distribution to agents or third parties or use for tendering or manufacturing purposes, without the express written agreement of Corvil and then only on the condition that this notice is included in any such copy or reproduction.

The content of this document is furnished for technical information purposes only, and should not be construed as any form of warranty or guarantee by Corvil. Corvil shall not be liable for technical, editorial or other errors or omissions in this document, and this document and the information in it are provided "as is". Unless expressly stated otherwise in a written agreement between the recipient of this document and Corvil, which predates the recipient’s receipt of this document and which expressly refers to this document, and to the greatest extent permitted by applicable law, Corvil expressly disclaims all terms, conditions and warranties, expressed or implied, statutory or otherwise, relating to this document and the information in it, including without limitation any warranties as to merchantability, fitness for a particular purpose or non-infringement.

Copyright © 2015 Corvil Ltd. Corvil, the Corvil logo (the Corvil spark) and Corvil product names are all trademarks of Corvil Ltd. All other brand or product names are trademarks of their respective owners.

Release Notes

Version 1.0.3
Sept. 27, 2016

##### About this release

Version 1.0.3 of the Corvil add-on for Splunk is compatible with:

* **Splunk Enterprise versions** 6.5, 6.4, 6.3, 6.2, 6.1
* **Platforms** Platform independent
* **Vendor Products** Corvil Giga, Corvil Giga+, Corvil Tera and Corvil Tera+
* **System Requirements** Java Runtime Environment (v1.6 or later) installed on the Splunk Enterprise host

##### What’s New in This Release
Version 1.0.3 of the Corvil add-on for Splunk includes the following new features:
* **Special characters**: Special characters in Corvil Appliance’s password are now supported.
* **Timestamp changes**: The timestamp is split into 2 fields: timestamp and timestampNs. The timestamp field contains the microseconds part of the timestamp, and timestampNs contains the nanoseconds part of the timestamp.

##### Fixed issues
Version 1.0.3 of the Corvil add-on for Splunk fixes the following issues:

- Formatting bug in the JSON output from the modular input

7
Installs
317
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.