Run technical addons with this simple utility program.
The TA runner can interpret inputs.conf, transforms.conf and props.conf files and runs technical addons according to these settings.
This project is under active development. You can consult the roadmap to learn more.
This program exports all data over the OpenTelemetry Protocol (OTLP). It can be used with Splunk Connect for OTLP to send data to a Splunk instance.
-
Download the binary from the latest release
-
Run the binary with the following arguments:
> tarunner <basedir>basedir: the location of the technical addon, uncompressed.The tarunner expects a tarunner.yaml file located at the root of the TA folder.
The tarunner.yaml file consists of 3 fields:
type: the type of exporter to use.otlp_httpwill use the OTLP HTTP exporter (default value). Any other value is interpreted as sending over Splunk HEC.endpoint: the endpoint to which to send the data.http://localhost:4318is the default value.token: the token to set if sending over HEC.
Build the Docker image:
> docker build -t tarunner .
Run the image:
> docker run --rm -v $(pwd)/ta:/ta /ta
See also under the integration folder a docker-compose.yml example.
Run the example with: docker compose up
In this mode, the TA runner will run the scripts, modinputs, monitors, capturing their output. It will tag them with host, source and sourcetype fields.
UF mode is the default mode.
In this mode, the TA runner performs the steps of the UF mode and additional performs index time actions:
- Indexed extractions
- Ingest eval
- Rulesets
- Transforms
HF mode is experimental and incomplete. This issue tracks the work.
The mode can be enabled by running the runner with --feature-flags +cook.
The TA Runner is licensed under Apache Software License 2.0. See LICENSE.