Environment Parameters¶
You can declare parameters by making a copy of the scripts/ci_nozzle_manifest.sh.
| Variable name | Description | Default value |
|---|---|---|
DEBUG |
Enable debug mode (forward to standard out instead of Splunk) | false |
Cloud Foundry configuration parameters:¶
| Variable name | Description | Default value | Mandatory parameter |
|---|---|---|---|
API_ENDPOINT |
Cloud Foundry API endpoint address | - | Yes |
CLIENT_ID |
UAA Client ID (Must have authorities and grant_types described above) | - | Yes |
CLIENT_SECRET |
Secret for Client ID. | - | Yes |
Splunk configuration parameters:¶
| Variable name | Description | Default value | Mandatory parameter |
|---|---|---|---|
SPLUNK_TOKEN |
Splunk HTTP event collector token | - | Yes |
SPLUNK_HOST |
Splunk HTTP event collector host, example: https://example.cloud.splunk.com:8088 | - | Yes |
SPLUNK_INDEX |
The Splunk index events will be sent to. Warning: Setting an invalid index will cause events to be lost. This index must match one of the selected indexes for the Splunk HTTP event collector token used for the SPLUNK_TOKEN parameter. |
- | Yes |
Advanced Configuration Features:¶
| Variable name | Description | Default value | Mandatory parameter |
|---|---|---|---|
JOB_NAME |
Tags nozzle log events with job name. | ‘splunk-nozzle’ | No |
JOB_INDEX |
Tags nozzle log events with job index. | -1 | No |
JOB_HOST |
Tags nozzle log events with job host. | ”“ | No |
SKIP_SSL_VALIDATION_CF |
Skips SSL certificate validation for connection to Cloud Foundry. Secure communications will not check SSL certificates against a trusted certificate authority. This is recommended for dev environments only. | false | No |
SKIP_SSL_VALIDATION_SPLUNK |
Skips SSL certificate validation for connection to Splunk. Secure communications will not check SSL certificates against a trusted certificate authority. This is recommended for dev environments only. | false | No |
FIREHOSE_SUBSCRIPTION_ID |
Tags nozzle events with a Firehose subscription id. See here. | splunk-firehose | No |
FIREHOSE_KEEP_ALIVE |
Keep alive duration for the Firehose consumer. | 25s | No |
ADD_APP_INFO |
Enrich raw data with app info. A comma separated list of app metadata (AppName,OrgName,OrgGuid,SpaceName,SpaceGuid). |
”“ | No |
ADD_TAGS |
Add additional tags from envelope to splunk event. (Please note: Enabling this feature may slightly impact the performance due to the increased event size) | false | No |
IGNORE_MISSING_APP |
If the application is missing, then stop repeatedly querying application info from Cloud Foundry. | true | No |
MISSING_APP_CACHE_INVALIDATE_TTL |
How frequently the missing app info cache invalidates (in s/m/h. For example, 3600s or 60m or 1h). See about app cache params | 0s | No |
APP_CACHE_INVALIDATE_TTL |
How frequently the app info local cache invalidates (in s/m/h. For example, 3600s or 60m or 1h). See about app cache params | 0s | No |
ORG_SPACE_CACHE_INVALIDATE_TTL |
How frequently the org and space cache invalidates (in s/m/h. For example, 3600s or 60m or 1h). | 72h | No |
APP_LIMITS |
Restrict to APP_LIMITS the most updated apps per request when populating the app metadata cache. Keep it 0 to update all the apps. |
0 | No |
BOLTDB_PATH |
Bolt database path. | cache.db | No |
EVENTS |
A comma separated list of events to include. Possible values: ValueMetric,CounterEvent,Error,LogMessage,HttpStartStop,ContainerMetric. If no event type is selected, nozzle will automatically select LogMessage to keep the nozzle running. | “ValueMetric,CounterEvent,ContainerMetric” | Yes |
EXTRA_FIELDS |
Extra fields to annotate your events with (format is key:value,key:value). | ”“ | No |
FLUSH_INTERVAL |
Time interval (in s/m/h. For example, 3600s or 60m or 1h) for flushing queue to Splunk regardless of CONSUMER_QUEUE_SIZE. Protects against stale events in low throughput systems. |
5s | No |
CONSUMER_QUEUE_SIZE |
Sets the internal consumer queue buffer size. Events will be pushed to Splunk after queue is full. | 10000 | No |
HEC_BATCH_SIZE |
Set the batch size for the events to push to HEC (Splunk HTTP Event Collector). | 100 | No |
HEC_RETRIES |
Retry count for sending events to Splunk. After expiring, events will begin dropping causing data loss. | 5 | No |
HEC_WORKERS |
Set the amount of Splunk HEC workers to increase concurrency while ingesting in Splunk. | 8 | No |
ENABLE_EVENT_TRACING |
Enables event trace logging. Splunk events will now contain a UUID, Splunk Nozzle Event Counts, and a Subscription-ID for Splunk correlation searches. | false | No |
SPLUNK_LOGGING_INDEX |
The Splunk index where logs from the nozzle of the sourcetype cf:splunknozzle will be sent to. Warning: Setting an invalid index will cause events to be lost. This index must match one of the selected indexes for the Splunk HTTP event collector token used for the SPLUNK_TOKEN parameter. When not provided, all logging events will be forwarded to the default SPLUNK_INDEX. |
”“ | No |
STATUS_MONITOR_INTERVAL |
Time interval (in s/m/h. For example, 3600s or 60m or 1h) to enable monitoring of metric data within the connector. (This increases CPU load and should be used only for insights purposes). | 0s | No |
SPLUNK_METRIC_INDEX |
Index in which metric data will be ingested when monitoring module is enabled | - | No |
SELECTED_MONITORING_METRICS |
Name of the metrics that you want to monitor and add using comma seprated values. List of the metrics that are supported in the metrics modules are given below | - | No |
REFRESH_SPLUNK_CONNECTION |
If set to true, PCF will periodically refresh connection to Splunk (how often depends on KEEP_ALIVE_TIMER value). If set to false connection will be kept alive and reused. |
false | No |
KEEP_ALIVE_TIMER |
Time after which connection to Splunk will be refreshed, if REFRESH_SPLUNK_CONNECTION is set to true (in s/m/h. For example, 3600s or 60m or 1h). |
30s | No |
MEMORY_BALLAST_SIZE |
Size of memory allocated to reduce GC cycles. Size should be less than the total memory. | 0 | No |
About app cache params:¶
When ADD_APP_INFO config is enabled, the nozzle will enrich the event with app metadata.
For this, the nozzle maintains a cache of all the apps locally so that it does not need to query from remote every time.
Now, when there is a change in this app data in remote, the nozzle has to update this local cache.
For this, the config has APP_CACHE_INVALIDATE_TTL parameter. At every APP_CACHE_INVALIDATE_TTL interval, the nozzle will update the local cache by querying the remote (CF APIs).
If APP_CACHE_INVALIDATE_TTL is set to 10s, the nozzle will refresh the local cache at every 10s.
So, AppCacheTTL should be set based on how frequently the app data is expected to change.
When the nozzle receives events from the doppler, it will check the local cache for the given app-id.
But on cache-miss, it will query remote for that specific app.
If it doesn’t find the app data from remote too, then the nozzle will add that app to MissingAppCache
(if IGNORE_MISSING_APP config is enabled. so that the nozzle does not waste time in querying the remote for an app which is likely not to be found).
So, from the next time onwards, the nozzle will first check in the MissingAppCache, if found then it will ignore the app and move on to the next event with a warning.
MISSING_APP_CACHE_INVALIDATE_TTL is used to clear the MissingAppCache so nozzle can retry querying from remote.
For example, given MISSING_APP_CACHE_INVALIDATE_TTL is set to 60s, when nozzle receives event from app that is not available in local cache and remote,
it’ll add it to MissingAppCache. Until next MISSING_APP_CACHE_INVALIDATE_TTL, nozzle will not query from remote for the missing app.