Ensign ElasticSearch Data Integrator app icon

Ensign ElasticSearch Data Integrator

Splunk modular input for ingesting data from Elasticsearch 8.x and 9.x clusters. Dual ES client (auto-selected by runtime), multi-cluster profiles, DSL query filters, scroll-based pagination with crash recovery, document-level deduplication, KVStore checkpoints, SSL/TLS, proxy, and custom SPL diagnostic commands. Full GUI configuration.

splunk product badge
screenshot
screenshot

Default Version 2.0.1
July 14, 2026
Compatibility
Splunk Enterprise, Splunk Cloud
Platform Version: 10.5, 10.4, 10.3, 10.2, 10.1, 10.0, 9.4
Rating

5

(1)

Log in to rate this app
Support
Ensign ElasticSearch Data Integrator support icon
Developer Supported addon
Ensign ElasticSearch Data Integrator is a Splunk modular input add-on for ingesting data from Elasticsearch 8.x and 9.x clusters into Splunk via the Elasticsearch REST API. Built on the Splunk UCC Framework (Add-on Builder), it provides a full GUI-driven configuration experience through Splunk Web — no manual file editing required. Key Features: • Multi-cluster Elasticsearch profile management via Splunk UI • Multi-node cluster support with comma-separated hosts and node sniffing/auto-discovery • Dual ES client library: automatically selects elasticsearch-py 9.4.1 (native) on Splunk 10 or elasticsearch-py 8.19.3 (REST API compatibility mode) on Splunk 9.4 • Per-cluster ES version override (Auto-Detect / 8.x / 9.x) with runtime capability gating • Time-based data fetching with configurable date field and ES Scroll API pagination • Single-term DSL query filter with input validation (fail-closed) • Crash-resilient scroll recovery with dedicated checkpoint directory • KVStore checkpoint storage with smart bidirectional fallback — enables SHC-native replication • Document-level deduplication guard (rolling 50,000 IDs per stanza) • SSL/TLS certificate verification enabled by default with custom CA support • Splunk CA auto-discovery for secure internal REST communication • Global proxy support with Splunk-native credential encryption • Custom sourcetype override per input stanza • Custom SPL diagnostic commands: escheck_connection, escheck_config, escheck_indexes • Comprehensive internal log parsing for taensignelasticsearchaddon:log • Preflight cluster health check before every collection run • 5W1H audit logging on all administrative operations • Minimum polling interval enforcement (15 seconds) • Adjustable log level (DEBUG/INFO/WARN/ERROR) • No pre-compiled binaries — pure Python, runs on any platform Compatibility: • Elasticsearch: 8.x and 9.x (NOT compatible with 7.x or earlier) • Splunk Enterprise: 9.4+ (Python 3.9) and 10.x (Python 3.13) • Network: HTTPS access to target Elasticsearch cluster(s)

Categories

IT Operations, Security, Fraud & Compliance

Created By

Muhammad Rafdi Aufar Ahmad

Type

addon

Downloads

31

Resources

Log in to report this app listing