Ensign ElasticSearch Data Integrator

Ensign ElasticSearch Data Integrator is a Splunk modular input add-on for ingesting data from Elasticsearch 8.x clusters into Splunk via the Elasticsearch 8 REST API. Built on the Splunk UCC Framework, it provides a full GUI-driven configuration experience through Splunk Web — no manual file editing required. Key Features: • Multi-cluster Elasticsearch profile management via Splunk UI • DSL Query-focused data retrieval with configurable time-based fetching • ES Scroll API pagination for efficient large-volume data collection • Crash-resilient scroll recovery with a dedicated checkpoint directory • Document-level deduplication guard (rolling 50,000 IDs per stanza) • SSL/TLS certificate verification support • Custom term filters per data source • Global proxy support with Splunk-native credential encryption • Custom sourcetype override per input stanza IMPORTANT: This add-on is designed exclusively for Elasticsearch 8.x API. It is NOT compatible with Elasticsearch 7.x or earlier versions. Compatibility: • Elasticsearch: 8.x only • Splunk Enterprise: 8.2+ and 9.x (You can try for 10.x, let me know the updates) • Python: 3.x (bundled with Splunk)