splunk_hec

Writes messages to a Splunk HTTP Endpoint Collector.

Common
Advanced

# Common config fields, showing default values
output:
  label: ""
  splunk_hec:
    url: "" # No default (required)
    token: "" # No default (required)
    gzip: false
    event_host: ""
    event_source: ""
    event_sourcetype: ""
    event_index: ""
    batching_count: 100
    batching_period: 30s
    batching_byte_size: 1000000

# Advanced config fields, showing default values
output:
  label: ""
  splunk_hec:
    url: "" # No default (required)
    token: "" # No default (required)
    gzip: false
    event_host: ""
    event_source: ""
    event_sourcetype: ""
    event_index: ""
    batching_count: 100
    batching_period: 30s
    batching_byte_size: 1000000
    rate_limit: ""
    max_in_flight: 64
    skip_cert_verify: false

This output POSTs messages to a Splunk HTTP Endpoint Collector (HEC) using token based authentication. The format of the message must be a valid event JSON. Raw is not supported.

Fields

`url`

Full HTTP Endpoint Collector (HEC) URL, ie. https://foobar.splunkcloud.com/services/collector/event

Type: string

`token`

A bot token used for authentication.

Type: string

`gzip`

Enable gzip compression

Type: bool

Default: false

`event_host`

Set the host value to assign to the event data. Overrides existing host field if present.

Type: string

Default: ""

`event_source`

Set the source value to assign to the event data. Overrides existing source field if present.

Type: string

Default: ""

`event_sourcetype`

Set the sourcetype value to assign to the event data. Overrides existing sourcetype field if present.

Type: string

Default: ""

`event_index`

Set the index value to assign to the event data. Overrides existing index field if present.

Type: string

Default: ""

`batching_count`

A number of messages at which the batch should be flushed. If 0 disables count based batching.

Type: int

Default: 100

`batching_period`

A period in which an incomplete batch should be flushed regardless of its size.

Type: string

Default: "30s"

`batching_byte_size`

An amount of bytes at which the batch should be flushed. If 0 disables size based batching. Splunk Cloud recommends limiting content length of HEC payload to 1 MB.

Type: int

Default: 1000000

`rate_limit`

An optional rate limit resource to restrict API requests with.

Type: string

Default: ""

`max_in_flight`

The maximum number of parallel message batches to have in flight at any given time.

Type: int

Default: 64

`skip_cert_verify`

Whether to skip server side certificate verification.

Type: bool

Default: false