Splunk HEC

Experimental Observability

Synopsis

Creates a Splunk HTTP Event Collector (HEC) target that sends events to one or more Splunk instances. Supports multiple authentication methods, batching, compression, and automatic failover between endpoints.

Schema

- id: <numeric>
  name: <string>
  description: <string>
  type: splunk
  tags: <string[]>
  pipelines: <pipeline[]>
  status: <boolean>
  properties:
    endpoints:
      - endpoint: <string>
        auth_type: <string>
        token: <string>
        secret: <string>
    index: <string>
    source_type: <string>
    batch_size: <numeric>
    timeout: <numeric>
    tcp_routing: <boolean>
    compression: <boolean>
    insecure_skip_verify: <boolean>
    format: <string>

Configuration

The following are the minimum requirements to define the target.

Field	Required	Default	Description
`id`	Y		Unique identifier
`name`	Y		Target name
`description`	N	-	Optional description
`type`	Y		Must be `splunk`
`pipelines`	N	-	Optional post-processor pipelines
`status`	N	`true`	Enable/disable the target

Endpoint

Field	Required	Default	Description
`endpoint`	Y	-	Splunk HEC endpoint URL
`auth_type`	N	`token`	Authentication type: `token` or `secret`
`token`	N	-	HEC token when using token auth
`secret`	N	-	Bearer token when using secret auth

Event

Field	Required	Default	Description
`index`	N	-	Default Splunk index
`source_type`	N	-	Default sourcetype for events
`batch_size`	N	10000	Number of events to batch before sending
`timeout`	N	30	Connection timeout in seconds

Connection

Field	Required	Default	Description
`tcp_routing`	N	`false`	Enable TCP routing header
`use_compression`	N	`true`	Enable gzip compression
`insecure_skip_verify`	N	`false`	Skip TLS certificate verification
`format`	N	`cim`	Event format normalization (`cim`, `ecs`, `asim`, `cef`, `leef`, `csl`)

Details

Events are automatically batched and compressed by default for optimal performance. Failover between endpoints is handled automatically if multiple endpoints are configured.

Examples

Basic

Send events to a single HEC endpoint...

- id: 1
  name: basic_splunk
  type: splunk
  properties:
    endpoints:
      - endpoint: "https://splunk.example.com:8088/services/collector"
        auth_type: token
        token: "YOUR-HEC-TOKEN"
    index: "main"
    source_type: "vmetric"

Multiple Endpoints

Configure failover endpoints...

- id: 2
  name: ha_splunk
  type: splunk
  properties:
    endpoints:
      - endpoint: "https://splunk1.example.com:8088/services/collector"
        auth_type: token
        token: "PRIMARY-TOKEN"
      - endpoint: "https://splunk2.example.com:8088/services/collector"
        auth_type: token
        token: "BACKUP-TOKEN"
    index: "main"
    source_type: "vmetric"
    batch_size: 5000

High-Volume

Configure for high throughput...

- id: 3
  name: perf_splunk
  type: splunk
  properties:
    endpoints:
      - endpoint: "https://splunk.example.com:8088/services/collector"
        auth_type: token
        token: "YOUR-HEC-TOKEN"
    index: "metrics"
    source_type: "vmetric"
    batch_size: 20000
    timeout: 60
    compression: true
    tcp_routing: true

Secure

Using secret-based auth and TLS verification...

- id: 4
  name: secure_splunk
  type: splunk
  properties:
    endpoints:
      - endpoint: "https://splunk.example.com:8088/services/collector"
        auth_type: secret
        secret: "YOUR-BEARER-TOKEN"
    index: "secure"
    source_type: "vmetric"
    insecure_skip_verify: false
    compression: true

warning

Ensure your HEC tokens have the appropriate permissions and indexes enabled in Splunk. Invalid tokens or insufficient permissions will result in ingestion failures.

Synopsis​

Schema​

Configuration​

Endpoint​

Event​

Connection​

Details​

Examples​

Basic​

Multiple Endpoints​

High-Volume​

Secure​