Splunk Translator

Status: Production — The Splunk translator is Conduit's primary production translator.

The Splunk translator is Conduit's most mature integration. NQE queries compile directly to SPL (Search Processing Language) for native execution on your Splunk instance.

Overview

The Splunk translator provides:

Direct SPL Compilation: NQE → SPL translation with full optimization
Time-Range Mapping: Automatic earliest/latest parameter mapping
Stats & Timechart: Full support for Splunk aggregation commands
Cross-Source Correlation: Acts as anchor source for multi-source queries
Index Discovery: Automatic discovery of available indexes and sourcetypes

Prerequisites

Splunk Enterprise or Cloud: Any supported version
REST API Access: Splunk management port (default 8089) accessible
Authentication Token: Splunk auth token or username/password
Index Access: Service account with read access to target indexes

Configuration

Basic Configuration

translator:
  type: splunk
  name: splunk-production

  connection:
    host: splunk.company.com
    port: 8089
    protocol: https
    verify_ssl: true

  authentication:
    type: token
    token: ${SPLUNK_TOKEN}

  defaults:
    index: ot_data
    earliest: -24h
    latest: now

Authentication Options

Token Authentication (Recommended)

authentication:
  type: token
  token: ${SPLUNK_TOKEN}

Username/Password

authentication:
  type: basic
  username: ${SPLUNK_USER}
  password: ${SPLUNK_PASS}

SPL Compilation

NQE queries are compiled to optimized SPL. Here are examples of the compilation:

Basic Query

NQE:

Show temperature for Tank1 over the last hour

Compiled SPL:

index=ot_data tag="Tank1_Temperature" earliest=-1h latest=now
| timechart span=1m avg(value) as temperature

Aggregation Query

NQE:

Show average temperature by reactor during the last 24 hours where plant is Chicago

Compiled SPL:

index=ot_data metric_name="temperature" plant="Chicago" earliest=-24h latest=now
| stats avg(value) as avg_temp, count as samples by reactor

Alarm Query

NQE:

Count alarms by severity and area during the last 2 hours where severity is critical

Compiled SPL:

index=ot_alarms severity="CRITICAL" earliest=-2h latest=now
| stats count as alarm_count by severity, area

Trend Query

NQE:

Show the trend of motor current by line during the last 7 days where line is Line 3

Compiled SPL:

index=ot_data metric_name="motor_current" line="Line 3" earliest=-7d latest=now
| timechart span=1d avg(value) as avg_amps by line

Index Configuration

Default Index Settings

indexes:
  - name: ot_data
    description: "OT process data"
    default: true

  - name: ot_alarms
    description: "Alarm and event data"

  - name: ot_metrics
    description: "Performance metrics"

Index Discovery

discovery:
  enabled: true
  interval: 3600 # seconds
  indexPattern: "ot_*"
  sourcetypePattern: "*"

Cross-Source Correlation

The Splunk translator serves as the primary anchor for cross-source correlation queries:

Correlate temperature from Splunk with vibration from MQTT over the last 24 hours

Conduit:

Queries Splunk for temperature data (SPL)
Queries MQTT for vibration data (subscription buffer)
Uses DuckDB to time-align and correlate the results

Performance Tuning

Connection Settings

connection:
  timeout: 30000 # ms
  maxRetries: 3
  retryDelay: 1000 # ms

  pool:
    maxConnections: 10
    keepAlive: true

Query Optimization

optimizer:
  maxResults: 50000
  truncateResults: true
  useTimechart: true # Use timechart for time-series queries
  preferStats: true # Use stats over raw events when possible

Troubleshooting

Connection Issues

Connection Refused

Verify Splunk management port (8089) is accessible
Check firewall rules
Confirm SSL settings match Splunk configuration

401 Unauthorized

Verify token or credentials
Check token hasn't expired
Confirm service account has required capabilities

Query Issues

No Results

Verify index name is correct
Check time range includes data
Confirm field names match (Splunk is case-sensitive)

Slow Queries

Add index specifier to narrow search
Use time ranges as narrow as possible
Prefer stats/timechart over raw event searches

Example Deployment

version: "3.8"
services:
  conduit-splunk-translator:
    image: conduit/translator-splunk:latest
    environment:
      - CONDUIT_CONTROL_PLANE=nats://nats:4222
      - SPLUNK_HOST=splunk.company.com
      - SPLUNK_PORT=8089
      - SPLUNK_TOKEN=${SPLUNK_TOKEN}
    volumes:
      - ./config/splunk-translator.yaml:/etc/conduit/translator.yaml

Next Steps

MQTT Translator - Subscribe to MQTT topics
MCP IoT Gateway - Connect to industrial protocols
Architecture - How translators work

Splunk Translator

Status: Production — The Splunk translator is Conduit's primary production translator.

The Splunk translator is Conduit's most mature integration. NQE queries compile directly to SPL (Search Processing Language) for native execution on your Splunk instance.

Overview

The Splunk translator provides:

Direct SPL Compilation: NQE → SPL translation with full optimization
Time-Range Mapping: Automatic earliest/latest parameter mapping
Stats & Timechart: Full support for Splunk aggregation commands
Cross-Source Correlation: Acts as anchor source for multi-source queries
Index Discovery: Automatic discovery of available indexes and sourcetypes

Prerequisites

Splunk Enterprise or Cloud: Any supported version
REST API Access: Splunk management port (default 8089) accessible
Authentication Token: Splunk auth token or username/password
Index Access: Service account with read access to target indexes

Configuration

Basic Configuration

translator:
  type: splunk
  name: splunk-production

  connection:
    host: splunk.company.com
    port: 8089
    protocol: https
    verify_ssl: true

  authentication:
    type: token
    token: ${SPLUNK_TOKEN}

  defaults:
    index: ot_data
    earliest: -24h
    latest: now

Authentication Options

Token Authentication (Recommended)

authentication:
  type: token
  token: ${SPLUNK_TOKEN}

Username/Password

authentication:
  type: basic
  username: ${SPLUNK_USER}
  password: ${SPLUNK_PASS}

SPL Compilation

NQE queries are compiled to optimized SPL. Here are examples of the compilation:

Basic Query

NQE:

Show temperature for Tank1 over the last hour

Compiled SPL:

index=ot_data tag="Tank1_Temperature" earliest=-1h latest=now
| timechart span=1m avg(value) as temperature

Aggregation Query

NQE:

Show average temperature by reactor during the last 24 hours where plant is Chicago

Compiled SPL:

index=ot_data metric_name="temperature" plant="Chicago" earliest=-24h latest=now
| stats avg(value) as avg_temp, count as samples by reactor

Alarm Query

NQE:

Count alarms by severity and area during the last 2 hours where severity is critical

Compiled SPL:

index=ot_alarms severity="CRITICAL" earliest=-2h latest=now
| stats count as alarm_count by severity, area

Trend Query

NQE:

Show the trend of motor current by line during the last 7 days where line is Line 3

Compiled SPL:

index=ot_data metric_name="motor_current" line="Line 3" earliest=-7d latest=now
| timechart span=1d avg(value) as avg_amps by line

Index Configuration

Default Index Settings

indexes:
  - name: ot_data
    description: "OT process data"
    default: true

  - name: ot_alarms
    description: "Alarm and event data"

  - name: ot_metrics
    description: "Performance metrics"

Index Discovery

discovery:
  enabled: true
  interval: 3600 # seconds
  indexPattern: "ot_*"
  sourcetypePattern: "*"

Cross-Source Correlation

The Splunk translator serves as the primary anchor for cross-source correlation queries:

Correlate temperature from Splunk with vibration from MQTT over the last 24 hours

Conduit:

Queries Splunk for temperature data (SPL)
Queries MQTT for vibration data (subscription buffer)
Uses DuckDB to time-align and correlate the results

Performance Tuning

Connection Settings

connection:
  timeout: 30000 # ms
  maxRetries: 3
  retryDelay: 1000 # ms

  pool:
    maxConnections: 10
    keepAlive: true

Query Optimization

optimizer:
  maxResults: 50000
  truncateResults: true
  useTimechart: true # Use timechart for time-series queries
  preferStats: true # Use stats over raw events when possible

Troubleshooting

Connection Issues

Connection Refused

Verify Splunk management port (8089) is accessible
Check firewall rules
Confirm SSL settings match Splunk configuration

401 Unauthorized

Verify token or credentials
Check token hasn't expired
Confirm service account has required capabilities

Query Issues

No Results

Verify index name is correct
Check time range includes data
Confirm field names match (Splunk is case-sensitive)

Slow Queries

Add index specifier to narrow search
Use time ranges as narrow as possible
Prefer stats/timechart over raw event searches

Example Deployment

version: "3.8"
services:
  conduit-splunk-translator:
    image: conduit/translator-splunk:latest
    environment:
      - CONDUIT_CONTROL_PLANE=nats://nats:4222
      - SPLUNK_HOST=splunk.company.com
      - SPLUNK_PORT=8089
      - SPLUNK_TOKEN=${SPLUNK_TOKEN}
    volumes:
      - ./config/splunk-translator.yaml:/etc/conduit/translator.yaml

Next Steps

MQTT Translator - Subscribe to MQTT topics
MCP IoT Gateway - Connect to industrial protocols
Architecture - How translators work