Splunk HEC
Synopsis
Creates a Splunk HTTP Event Collector (HEC) target that sends events to one or more Splunk instances. Supports batching, compression, and field normalization.
Schema
- name: <string>
description: <string>
type: splunk
pipelines: <pipeline[]>
status: <boolean>
properties:
endpoints:
- endpoint: <string>
auth_type: <string>
token: <string>
secret: <string>
index: <string>
source_type: <string>
batch_size: <numeric>
timeout: <numeric>
tcp_routing: <boolean>
use_compression: <boolean>
insecure_skip_verify: <boolean>
field_format: <string>
Configuration
The following are the fields used to define the target:
Field | Required | Default | Description |
---|---|---|---|
name | Y | Target name | |
description | N | - | Optional description |
type | Y | Must be splunk | |
pipelines | N | - | Optional post-processor pipelines |
status | N | true | Enable/disable the target |
Endpoint
Field | Required | Default | Description |
---|---|---|---|
endpoint | Y | - | Splunk HEC endpoint URL |
auth_type | N | token | Authentication type: token or secret |
token | N | - | HEC token when using token auth |
secret | N | - | Bearer token when using secret auth |
Event
Field | Required | Default | Description |
---|---|---|---|
index | N | - | Default Splunk index |
source_type | N | - | Default sourcetype for events |
batch_size | N | 10000 | Number of events to batch before sending |
timeout | N | 30 | Connection timeout in seconds |
Connection
Field | Required | Default | Description |
---|---|---|---|
tcp_routing | N | false | Enable TCP routing header |
use_compression | N | true | Enable gzip compression |
insecure_skip_verify | N | false | Skip TLS certificate verification |
field_format | N | - | Data normalization format. See applicable Normalization section |
Details
The Splunk HEC target sends log data to Splunk using the HTTP Event Collector (HEC) protocol. It supports multiple authentication methods, batching, compression, and automatic failover between endpoints.
Ensure your HEC tokens have the appropriate permissions and indexes enabled in Splunk. Invalid tokens or insufficient permissions will result in ingestion failures.
Events are automatically batched and compressed by default for optimal performance. If multiple endpoints are configured, the target will try each endpoint in order until successful delivery occurs.
Setting insecure_skip_verify
to true
is not recommended for production environments.
Dynamic Routing
The target supports dynamic routing of events to different indexes and sourcetypes:
- Use the
SystemS3
field in your logs to specify a custom index - Use the
SystemS2
field to specify a custom sourcetype
This allows sending different event types to appropriate indexes without creating multiple target configurations.