Skip to main content

Vector

Migrating from Splunk to Siglens using Vector

1. Install Vector

Begin by installing Vector using the instructions provided here. Once installed, you can refer back to this guide for configuration and starting Vector.

2. Configure Vector

Store the following example config in vector.yaml.

data_dir: /var/lib/vector
sources:
my_source_id:
type: file
include:
- /mnt/d/Siglens/SplunkExport3.json
read_from: beginning

# The type: "demo_logs" will generate syslog logs
generate_syslog:
type: 'demo_logs'
format: 'syslog'
count: 2

# Transforms Reference: Transform the data from Sources into desired format
transforms:
remap_file_log:
inputs:
- 'my_source_id'
type: 'remap'
# The path to the file containing the remap rules. Parsing the message which is the data read from the file.
# The parsed json is stored in the structured variable. The structured variable is merged with the other data/fields.
source: |
structured = parse_json!(.message)
., err = merge(., structured)

sinks:
siglens:
type: splunk_hec_logs
inputs:
- generate_syslog
- remap_file_log
endpoint: http://localhost:8081
host_key: hostname
index: 'ind-0'
indexed_fields:
- index
timestamp_key: time
compression: none
encoding:
codec: json
default_token: 'A94A8FE5CCB19BA61C4C08'
batch:
max_events: 1

For in-depth information on Vector configuration, visit the official vector documentation.

3. Run Vector

Vector needs to be started with the --config argument to specify the path to the configuration file. Run the following command:

vector --config vector.yaml