splunk_hec
This component is experimental and therefore subject to change or removal outside of major version releases.
Writes messages to a Splunk HTTP Endpoint Collector.
- Common
- Advanced
# Common config fields, showing default values
output:
label: ""
splunk_hec:
url: "" # No default (required)
token: "" # No default (required)
gzip: false
event_host: ""
event_source: ""
event_sourcetype: ""
event_index: ""
batching_count: 100
batching_period: 30s
batching_byte_size: 1000000
# All config fields, showing default values
output:
label: ""
splunk_hec:
url: "" # No default (required)
token: "" # No default (required)
gzip: false
event_host: ""
event_source: ""
event_sourcetype: ""
event_index: ""
batching_count: 100
batching_period: 30s
batching_byte_size: 1000000
rate_limit: ""
max_in_flight: 64
skip_cert_verify: false
This output POSTs messages to a Splunk HTTP Endpoint Collector (HEC) using token based authentication. The format of the message must be a valid event JSON. Raw is not supported.
Fields
url
Full HTTP Endpoint Collector (HEC) URL, ie. https://foobar.splunkcloud.com/services/collector/event
Type: string
token
A bot token used for authentication.
Type: string
gzip
Enable gzip compression
Type: bool
Default: false
event_host
Set the host value to assign to the event data. Overrides existing host field if present.
Type: string
Default: ""
event_source
Set the source value to assign to the event data. Overrides existing source field if present.
Type: string
Default: ""
event_sourcetype
Set the sourcetype value to assign to the event data. Overrides existing sourcetype field if present.
Type: string
Default: ""
event_index
Set the index value to assign to the event data. Overrides existing index field if present.
Type: string
Default: ""
batching_count
A number of messages at which the batch should be flushed. If 0 disables count based batching.
Type: int
Default: 100
batching_period
A period in which an incomplete batch should be flushed regardless of its size.
Type: string
Default: "30s"
batching_byte_size
An amount of bytes at which the batch should be flushed. If 0 disables size based batching. Splunk Cloud recommends limiting content length of HEC payload to 1 MB.
Type: int
Default: 1000000
rate_limit
An optional rate limit resource to restrict API requests with.
Type: string
Default: ""
max_in_flight
The maximum number of parallel message batches to have in flight at any given time.
Type: int
Default: 64
skip_cert_verify
Whether to skip server side certificate verification.
Type: bool
Default: false