Skip to main content
Version: 1.4.0

Splunk HEC

Experimental Observability

Synopsis

Creates a Splunk HTTP Event Collector (HEC) target that sends events to one or more Splunk instances. Supports batching, compression, and field normalization.

Schema

- name: <string>
description: <string>
type: splunk
pipelines: <pipeline[]>
status: <boolean>
properties:
endpoints:
- endpoint: <string>
auth_type: <string>
token: <string>
secret: <string>
index: <string>
source_type: <string>
batch_size: <numeric>
timeout: <numeric>
tcp_routing: <boolean>
use_compression: <boolean>
insecure_skip_verify: <boolean>
field_format: <string>

Configuration

The following are the fields used to define the target:

FieldRequiredDefaultDescription
nameYTarget name
descriptionN-Optional description
typeYMust be splunk
pipelinesN-Optional post-processor pipelines
statusNtrueEnable/disable the target

Endpoint

FieldRequiredDefaultDescription
endpointY-Splunk HEC endpoint URL
auth_typeNtokenAuthentication type: token or secret
tokenN-HEC token when using token auth
secretN-Bearer token when using secret auth

Event

FieldRequiredDefaultDescription
indexN-Default Splunk index
source_typeN-Default sourcetype for events
batch_sizeN10000Number of events to batch before sending
timeoutN30Connection timeout in seconds

Connection

FieldRequiredDefaultDescription
tcp_routingNfalseEnable TCP routing header
use_compressionNtrueEnable gzip compression
insecure_skip_verifyNfalseSkip TLS certificate verification
field_formatN-Data normalization format. See applicable Normalization section

Details

The Splunk HEC target sends log data to Splunk using the HTTP Event Collector (HEC) protocol. It supports multiple authentication methods, batching, compression, and automatic failover between endpoints.

warning

Ensure your HEC tokens have the appropriate permissions and indexes enabled in Splunk. Invalid tokens or insufficient permissions will result in ingestion failures.

Events are automatically batched and compressed by default for optimal performance. If multiple endpoints are configured, the target will try each endpoint in order until successful delivery occurs.

warning

Setting insecure_skip_verify to true is not recommended for production environments.

Dynamic Routing

The target supports dynamic routing of events to different indexes and sourcetypes:

  • Use the SystemS3 field in your logs to specify a custom index
  • Use the SystemS2 field to specify a custom sourcetype

This allows sending different event types to appropriate indexes without creating multiple target configurations.

Field Normalization

Field normalization helps standardize log data before sending it to Splunk, ensuring consistent data formats that can be easily correlated:

  • ecs - Elastic Common Schema
  • cim - Common Information Model (recommended for Splunk)

Examples

Basic

Send events to a single HEC endpoint...

targets:
- name: basic_splunk
type: splunk
properties:
endpoints:
- endpoint: "https://splunk.example.com:8088/services/collector"
auth_type: token
token: "YOUR-HEC-TOKEN"
index: "main"
source_type: "vmetric"

Multiple Endpoints

Configure failover endpoints...

targets:
- name: ha_splunk
type: splunk
properties:
endpoints:
- endpoint: "https://splunk1.example.com:8088/services/collector"
auth_type: token
token: "PRIMARY-TOKEN"
- endpoint: "https://splunk2.example.com:8088/services/collector"
auth_type: token
token: "BACKUP-TOKEN"
index: "main"
source_type: "vmetric"
batch_size: 5000

High-Volume

Configure for high throughput...

targets:
- name: perf_splunk
type: splunk
properties:
endpoints:
- endpoint: "https://splunk.example.com:8088/services/collector"
auth_type: token
token: "YOUR-HEC-TOKEN"
index: "metrics"
source_type: "vmetric"
batch_size: 20000
timeout: 60
use_compression: true
tcp_routing: true

With Field Normalization

Using CIM field normalization for better Splunk integration...

targets:
- name: normalized_splunk
type: splunk
properties:
endpoints:
- endpoint: "https://splunk.example.com:8088/services/collector"
auth_type: token
token: "YOUR-HEC-TOKEN"
index: "main"
field_format: "cim"

Secure

Using secret-based auth and TLS verification...

targets:
- name: secure_splunk
type: splunk
properties:
endpoints:
- endpoint: "https://splunk.example.com:8088/services/collector"
auth_type: secret
secret: "YOUR-BEARER-TOKEN"
index: "secure"
source_type: "vmetric"
insecure_skip_verify: false
use_compression: true