Ensign ElasticSearch Data Integrator is a Splunk modular input add-on for ingesting data from Elasticsearch 8.x and 9.x clusters into Splunk via the Elasticsearch REST API.
Built on the Splunk UCC Framework (Add-on Builder), it provides a full GUI-driven configuration experience through Splunk Web — no manual file editing required.
Key Features:
• Multi-cluster Elasticsearch profile management via Splunk UI
• Multi-node cluster support with comma-separated hosts and node sniffing/auto-discovery
• Dual ES client library: automatically selects elasticsearch-py 9.4.1 (native) on Splunk 10 or elasticsearch-py 8.19.3 (REST API compatibility mode) on Splunk 9.4
• Per-cluster ES version override (Auto-Detect / 8.x / 9.x) with runtime capability gating
• Time-based data fetching with configurable date field and ES Scroll API pagination
• Single-term DSL query filter with input validation (fail-closed)
• Crash-resilient scroll recovery with dedicated checkpoint directory
• KVStore checkpoint storage with smart bidirectional fallback — enables SHC-native replication
• Document-level deduplication guard (rolling 50,000 IDs per stanza)
• SSL/TLS certificate verification enabled by default with custom CA support
• Splunk CA auto-discovery for secure internal REST communication
• Global proxy support with Splunk-native credential encryption
• Custom sourcetype override per input stanza
• Custom SPL diagnostic commands: escheck_connection, escheck_config, escheck_indexes
• Comprehensive internal log parsing for taensignelasticsearchaddon:log
• Preflight cluster health check before every collection run
• 5W1H audit logging on all administrative operations
• Minimum polling interval enforcement (15 seconds)
• Adjustable log level (DEBUG/INFO/WARN/ERROR)
• No pre-compiled binaries — pure Python, runs on any platform
Compatibility:
• Elasticsearch: 8.x and 9.x (NOT compatible with 7.x or earlier)
• Splunk Enterprise: 9.4+ (Python 3.9) and 10.x (Python 3.13)
• Network: HTTPS access to target Elasticsearch cluster(s)