Add an example showing how to use filelog with otel collector, sendin…

…g data to Splunk Enterprise (open-telemetry#964)

examples/README.md

@@ -32,3 +32,7 @@ generators`, to collect metrics and traces and export them using the `SignalFx`
 This example showcases how the collector can send traces to a Splunk Enterprise deployment from a program emitting traces.
 
 [Read more...](./splunk-hec-traces)
+
+## [Filelog receiver with Splunk Enterprise](./otel-logs-splunk)
+
+This example showcases how the collector can follow a file and send its contents to Splunk Enterprise.

examples/otel-logs-splunk/.gitignore

@@ -0,0 +1 @@
+output

examples/otel-logs-splunk/README.md

@@ -0,0 +1,16 @@
+# Splunk HEC Example
+
+This example showcases how the collector can collect data from files and send it to Splunk Enterprise.
+
+The example runs as a Docker Compose deployment. The collector can be configured to send logs to Splunk Enterprise.
+
+Splunk is configured to receive data from the OpenTelemetry Collector using the HTTP Event collector. To learn more about HEC, visit [our guide](https://dev.splunk.com/enterprise/docs/dataapps/httpeventcollector/).
+
+To deploy the example, check out this git repository, open a terminal and in this directory type:
+```bash
+$> docker-compose up
+```
+
+Splunk will become available on port 18000. You can login on [http://localhost:18000](http://localhost:18000) with `admin` and `changeme`.
+
+Once logged in, visit the [search application](http://localhost:18000/en-US/app/search) to see the logs collected by Splunk.

examples/otel-logs-splunk/docker-compose.yml

@@ -0,0 +1,40 @@
+version: "3"
+services:
+  # Sample Go application producing logs.
+  logging:
+    image: bash:latest
+    container_name: logging
+    command: 'bash -c "while(true) do echo \"$${date} new message\" >> /output/file.log ; sleep 1; done"'
+    volumes:
+      - ./output:/output
+  # Splunk Enterprise server:
+  splunk:
+    image: splunk/splunk:latest
+    container_name: splunk
+    environment:
+      - SPLUNK_START_ARGS=--accept-license
+      - SPLUNK_HEC_TOKEN=00000000-0000-0000-0000-0000000000000
+      - SPLUNK_PASSWORD=changeme
+    ports:
+      - 18000:8000
+    healthcheck:
+      test: ['CMD', 'curl', '-f', 'http://localhost:8000']
+      interval: 5s
+      timeout: 5s
+      retries: 20
+    volumes:
+      - ./splunk.yml:/tmp/defaults/default.yml
+      - /opt/splunk/var
+      - /opt/splunk/etc
+  # OpenTelemetry Collector
+  otelcollector:
+    image:  quay.io/signalfx/splunk-otel-collector:0.29.0
+    container_name: otelcollector
+    command: ["--config=/etc/otel-collector-config.yml"]
+    volumes:
+      - ./otel-collector-config.yml:/etc/otel-collector-config.yml
+      - ./output:/output
+    depends_on:
+      - splunk
+    ports:
+      - 18088:8088

examples/otel-logs-splunk/otel-collector-config.yml

@@ -0,0 +1,42 @@
+receivers:
+    filelog:
+      include: [ /output/file.log ]
+
+exporters:
+    splunk_hec/logs:
+        # Splunk HTTP Event Collector token.
+        token: "00000000-0000-0000-0000-0000000000000"
+        # URL to a Splunk instance to send data to.
+        endpoint: "https://splunk:8088/services/collector"
+        # Optional Splunk source: https://docs.splunk.com/Splexicon:Source
+        source: "output"
+        # Splunk index, optional name of the Splunk index targeted.
+        index: "logs"
+        # Maximum HTTP connections to use simultaneously when sending data. Defaults to 100.
+        max_connections: 20
+        # Whether to disable gzip compression over HTTP. Defaults to false.
+        disable_compression: false
+        # HTTP timeout when sending data. Defaults to 10s.
+        timeout: 10s
+        # Whether to skip checking the certificate of the HEC endpoint when sending data over HTTPS. Defaults to false.
+        # For this demo, we use a self-signed certificate on the Splunk docker instance, so this flag is set to true.
+        insecure_skip_verify: true
+
+processors:
+    batch:
+
+extensions:
+    health_check:
+      endpoint: 0.0.0.0:13133
+    pprof:
+      endpoint: :1888
+    zpages:
+      endpoint: :55679
+
+service:
+    extensions: [pprof, zpages, health_check]
+    pipelines:
+      logs:
+        receivers: [filelog]
+        processors: [batch]
+        exporters: [splunk_hec/logs]

examples/otel-logs-splunk/splunk.yml

@@ -0,0 +1,11 @@
+splunk:
+    conf:
+      indexes:
+        directory: /opt/splunk/etc/apps/search/local
+        content:
+          logs:
+            coldPath: $SPLUNK_DB/logs/colddb
+            datatype: event
+            homePath: $SPLUNK_DB/logs/db
+            maxTotalDataSizeMB: 512000
+            thawedPath: $SPLUNK_DB/logs/thaweddb