[Splunk] Create single Splunk package

[jamiehynds]

In order to lower switching costs and reduce time to value for existing Splunk users, we shipped our experimental Splunk input in 7.12 across four packages - Apache, AWS Cloudtrail, NGINX and Zeek. This approach isn't scalable, with poor discoverability for users. To improve the workflow, a single Splunk package is needed to provide users with a 'one stop shop' to configure and manage data ingestion from Splunk.

UX needs to be defined, but at a high-level, the Splunk integration will include a toggle for all integrations the Splunk input can support:

Dependencies

• elastic/package-spec#110 Make it possible to declare an input multiple times - For a Splunk package we'll want to be able to declare the httpjson input multiple times with slightly different params (like the source type query).
• elastic/package-spec#145 - The inputs in the Splunk package need to be able to write to other package's data streams. Ideally the user would be able to add an input for sourcetype==apache.access and then select to send the data to the Apache's packages access data stream. When making this selection Fleet would automatically ensure that the target data stream was created. This use case could be fulfilled via a routing pipeline. Proposed UX available here , with Option 1 being a suitable fit for Splunk (cc: @mukeshelastic)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[botelastic]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!