This processor is responsible for polling Splunk server and determine if a Splunk event is acknowledged at the time of execution. For more details about the HEC Index Acknowledgement please see this documentation.


In order to work properly, the incoming flow files need to have the attributes "splunk.acknowledgement.id" and "splunk.responded.at" filled properly. The flow file attribute "splunk.acknowledgement.id" should continue the "ackId" contained by the response of the Splunk from the original put call. The flow file attribute "splunk.responded.at" should contain the Unix Epoch the put call was answered by Splunk. It is suggested to use PutSplunkHTTP processor to execute the put call and set these attributes.

Unacknowledged and undetermined cases

Splunk serves information only about successful acknowledgement. In every other case it will return a value of false. This includes unsuccessful or ongoing indexing and unknown acknowledgement identifiers. In order to avoid infinite tries, QuerySplunkIndexingStatus gives user the possibility to set a "Maximum waiting time". Results with value of false from Splunk within the specified waiting time will be handled as "undetermined" and are transferred to the "undetermined" relationship. Flow files outside of this time range will be queried as well and be transferred to either "acknowledged" or "unacknowledged" relationship determined by the Splunk response. In order to determine if the indexing of a given event is within the waiting time, the Unix Epoch of the original Splunk response is stored in the attribute "splunk.responded.at". Setting "Maximum waiting time" too low might result some false negative result as in case under higher load, Splunk server might index slower than it is expected.

Undetermined cases are normal in healthy environment as it is possible that NiFi asks for indexing status before Splunk finishes and acknowledges it. These cases are safe to retry and it is suggested to loop "undetermined" relationship back to the processor for later try. Flow files transferred into the "Undetermined" relationship are penalized.


Please keep Splunk channel limitations in mind: there are multiple configuration parameters in Splunk which might have direct effect on the performance and behaviour of the QuerySplunkIndexingStatus processor. For example "max_number_of_acked_requests_pending_query" and "max_number_of_acked_requests_pending_query_per_ack_channel" might limit the amount of ackIDs, the Splunk stores.

Also, it is suggested to execute the query in batches. The "Maximum Query Size" property might be used for fine tune the maximum number of events the processor will query about in one API request. This serves as an upper limit for the batch but the processor might execute the query with less number of undetermined events.