Kafka Destination
Kafka provides a highly scalable and fault-tolerant messaging system that enables real-time data processing and stream processing at scale. When integrated with Segment, Kafka serves as a powerful backbone for managing and processing event data collected by Segment, allowing businesses to efficiently ingest, route, and analyze data across various applications and systems in real time.
Getting started
Create the Kafka Destination
- From your workspace’s Destination catalog page search for “Kafka”.
- Select the “Kafka” tile and click Add Destination.
- Select an existing Source to connect to Kafka.
- Enter a name for your Kafka destination.
Configure the Kafka Destination
The way you’ve configured your Kafka Cluster informs the authentication and encryption settings you’ll need to apply to the Segment Kafka Destination. You may need the assistance of someone technical to provide values for the following Settings:
-
On the Settings tab, enter values into the Client ID, Brokers and Authentication Mechanism setting fields.
-
Populate fields based on the value you selected from the Authentication Mechanism field:
- Plain or SCRAM-SHA-256 / 512 authentication: provide values for Username and Password fields.
- AWS authentication: provide values for AWS Access Key ID and AWS Secret Key fields, and optionally for the AWS Authorization Identity field.
- Client Certificate authentication: provide values for the SSL Client Key and SSL Client Certificate fields.
-
Populate the SSL Certificate Authority field, if necessary.
-
Save your changes and proceed to Configure the Send Action.
Configure the “Send” Action
-
Select the Mappings tab and add a new Send mapping.
-
Select a Topic to send data to. This field should auto-populate based on the credentials you provided in the Settings tab.
-
Map your payload using the Payload field.
(Optional): Specify partitioning preferences, Headers and Message Key values. -
Save and enable the Action, then navigate back to the Kafka destination’s Settings tab to enable and save the Destination.
Destination Settings
| Setting | Description |
|---|---|
| AWS Access Key ID | The Access Key ID for your AWS IAM instance. Must be populated if using AWS IAM Authentication Mechanism. |
| AWS Authorization Identity | AWS IAM role ARN used for authorization. This field is optional, and should only be populated if using the AWS IAM Authentication Mechanism. |
| Brokers | Required. The brokers for your Kafka instance, in the format of |
| Client ID | Required. The client ID for your Kafka instance. Defaults to ‘segment-actions-kafka-producer’. |
| Authentication Mechanism | Required. Select the Authentication Mechanism to use. For SCRAM or PLAIN populate the ‘Username’ and ‘Password’ fields. For AWS IAM populated the ‘AWS Access Key ID’ and ‘AWS Secret Key’ fields. For ‘Client Certificate’ populated the ‘SSL Client Key’ and ‘SSL Client Certificate’ fields |
| Password | The password for your Kafka instance. Should only be populated if using PLAIN or SCRAM Authentication Mechanisms. |
| AWS Secret Key | The Secret Key for your AWS IAM instance. Must be populated if using AWS IAM Authentication Mechanism. |
| SSL Certificate Authority | The Certificate Authority for your Kafka instance. Exclude the first and last lines from the file. i.e |
| SSL Client Certificate | The Certificate Authority for your Kafka instance. Exclude the first and last lines from the file. i.e |
| SSL Enabled | Required. Indicates if SSL should be enabled. |
| SSL Client Key | The Client Key for your Kafka instance. Exclude the first and last lines from the file. i.e |
| SSL - Reject Unauthorized Certificate Authority | Required. Whether to reject unauthorized CAs or not. This can be useful when testing, but is unadvised in Production. |
| Username | The username for your Kafka instance. Should be populated only if using PLAIN or SCRAM Authentication Mechanisms. |
Available Actions
Build your own Mappings. Combine supported triggers with the following Kafka-supported actions:
Mapping limits per destination
Individual destination instances have support a maximum of 50 mappings.
Send
Send data to a Kafka topic
Send is a Cloud action. The default Trigger is: type = "track" or type = "identify" or type = "page" or type = "screen" or type = "group"
| Field | Description |
|---|---|
| Topic* | Type: STRINGThe Kafka topic to send messages to. This field auto-populates from your Kafka instance. |
| Payload* | Type: OBJECTThe data to send to Kafka |
| Headers | Type: OBJECTHeader data to send to Kafka. Format is Header key, Header value (optional). |
| Partition | Type: INTEGERThe partition to send the message to (optional) |
| Default Partition | Type: INTEGERThe default partition to send the message to (optional) |
| Message Key | Type: STRINGThe key for the message (optional) |
| Enable Batching? | Type: BOOLEANWhen enabled, Segment will send events in batches. |
FAQ
Which Kafka Platforms are supported?
The Kafka Destination can send data to Topics on self-hosted Kafka Clusters, or to Clusters hosted on Managed Service platforms like Confluent Cloud and Aiven.
Which data formats are supported?
Segment sends data to Kafka in JSON format only. Segment does not yet support other formats, like Avro or Protobuf.
Which authentication mechanisms are supported?
The Authentication Mechanism is controlled with the Authentication Mechanism Setting field.
Segment supports the following SASL-based authentication methods:
- Plain
- SCRAM-SHA-256
- SCRAM-SHA-512
- AWS
Segment also supports Client Certificate authentication.
How is partitioning controlled?
The Send Action provides multiple ways to specify which Partition an event should be sent to.
- Partition: Use this field to specify the name of the Partition Segment should send events to.
- Default Partition: Use this field to specify a default Partition. Segment uses this when you don’t provide a value in the Partition field.
- Message Key: Segment uses a hash of this field’s value to determine which Partition should receive an event. If you don’t provide a Message Key, Segment uses a round robin algorithm to select the partition to send the event to.
What is the “SSL - Reject Unauthorized Certificate Authority” field for?
This field specifies if Segment should reject server connections when a certificate is not signed by a trusted Certificate Authority (CA). This can be useful for testing purposes or when using a self-signed certificate.
Engage
You can send computed traits and audiences generated using Engage to this destination as a user property. To learn more about Engage, schedule a demo.
For user-property destinations, an identify call is sent to the destination for each user being added and removed. The property name is the snake_cased version of the audience name, with a true/false value to indicate membership. For example, when a user first completes an order in the last 30 days, Engage sends an Identify call with the property order_completed_last_30days: true. When the user no longer satisfies this condition (for example, it’s been more than 30 days since their last order), Engage sets that value to false.
When you first create an audience, Engage sends an Identify call for every user in that audience. Later audience syncs only send updates for users whose membership has changed since the last sync.
Real-time to batch destination sync frequency
Real-time audience syncs to Kafka may take six or more hours for the initial sync to complete. Upon completion, a sync frequency of two to three hours is expected.
Settings
Segment lets you change these destination settings from the Segment app without having to touch any code.
| Setting | Description |
|---|---|
| AWS Access Key ID | string. The Access Key ID for your AWS IAM instance. Must be populated if using AWS IAM Authentication Mechanism. |
| AWS Authorization Identity | string. AWS IAM role ARN used for authorization. This field is optional, and should only be populated if using the AWS IAM Authentication Mechanism. |
| Brokers (required) |
string. The brokers for your Kafka instance, in the format of host:port. E.g. localhost:9092. Accepts a comma delimited string. |
| Client ID (required) |
string, defaults to segment-actions-kafka-producer . The client ID for your Kafka instance. Defaults to ‘segment-actions-kafka-producer’. |
| Authentication Mechanism (required) |
select, defaults to plain. Select the Authentication Mechanism to use. For SCRAM or PLAIN populate the ‘Username’ and ‘Password’ fields. For AWS IAM populated the ‘AWS Access Key ID’ and ‘AWS Secret Key’ fields. For ‘Client Certificate’ populated the ‘SSL Client Key’ and ‘SSL Client Certificate’ fields |
| Password | password. The password for your Kafka instance. Should only be populated if using PLAIN or SCRAM Authentication Mechanisms. |
| AWS Secret Key | password. The Secret Key for your AWS IAM instance. Must be populated if using AWS IAM Authentication Mechanism. |
| SSL Certificate Authority | string. The Certificate Authority for your Kafka instance. Exclude the first and last lines from the file. i.e -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. |
| SSL Client Certificate | string. The Certificate Authority for your Kafka instance. Exclude the first and last lines from the file. i.e -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. |
| SSL Enabled (required) |
boolean, defaults to TRUE . Indicates if SSL should be enabled. |
| SSL Client Key | string. The Client Key for your Kafka instance. Exclude the first and last lines from the file. i.e -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. |
| SSL - Reject Unauthorized Certificate Authority (required) |
boolean, defaults to TRUE . Whether to reject unauthorized CAs or not. This can be useful when testing, but is unadvised in Production. |
| Username | string. The username for your Kafka instance. Should be populated only if using PLAIN or SCRAM Authentication Mechanisms. |
This page was last modified: 07 Aug 2024
Need support?
Questions? Problems? Need more info? Contact Segment Support for assistance!