Splunk HTTP Event Collector (HEC)
Receive logs from Splunk
Configuration
Example configurations
{
"sources": {
"my_source_id": {
"type": "splunk_hec",
"acknowledgements": null,
"address": "0.0.0.0:8080",
"token": "A94A8FE5CCB19BA61C4C08",
"valid_tokens": [
"A94A8FE5CCB19BA61C4C08"
]
}
}
}
[sources.my_source_id]
type = "splunk_hec"
address = "0.0.0.0:8080"
token = "A94A8FE5CCB19BA61C4C08"
valid_tokens = [ "A94A8FE5CCB19BA61C4C08" ]
---
sources:
my_source_id:
type: splunk_hec
acknowledgements: null
address: 0.0.0.0:8080
token: A94A8FE5CCB19BA61C4C08
valid_tokens:
- A94A8FE5CCB19BA61C4C08
{
"sources": {
"my_source_id": {
"type": "splunk_hec",
"acknowledgements": null,
"address": "0.0.0.0:8080",
"token": "A94A8FE5CCB19BA61C4C08",
"valid_tokens": [
"A94A8FE5CCB19BA61C4C08"
],
"tls": null,
"store_hec_token": null
}
}
}
[sources.my_source_id]
type = "splunk_hec"
address = "0.0.0.0:8080"
token = "A94A8FE5CCB19BA61C4C08"
valid_tokens = [ "A94A8FE5CCB19BA61C4C08" ]
---
sources:
my_source_id:
type: splunk_hec
acknowledgements: null
address: 0.0.0.0:8080
token: A94A8FE5CCB19BA61C4C08
valid_tokens:
- A94A8FE5CCB19BA61C4C08
tls: null
store_hec_token: null
acknowledgements
common optional objectacknowledgement
settings. This setting is deprecated in favor of enabling acknowledgements
in the destination sink.acknowledgements.ack_idle_cleanup
optional boolmax_idle_time
seconds. A channel is idling if it is not used for sending data or querying ack statuses.false
acknowledgements.enabled
common optional boolfalse
acknowledgements.max_idle_time
optional uint1
.300
(seconds)acknowledgements.max_number_of_ack_channels
optional uint1
.1e+06
acknowledgements.max_pending_acks
optional uintmax_number_of_acked_requests_pending_query
Splunk HEC setting. Minimum of 1
.1e+07
acknowledgements.max_pending_acks_per_channel
optional uintmax_number_of_acked_requests_pending_query_per_ack_channel
Splunk HEC setting. Minimum of 1
.1e+06
store_hec_token
optional booltrue
, the token will kept in the event metadata and will be used if the event is sent to a Splunk HEC sink.false
tls
optional objecttls.ca_file
optional string literalAbsolute path to an additional CA certificate file.
The certificate must be in the DER or PEM (X.509) format. Additionally, the certificate can be provided as an inline string in PEM format.
tls.crt_file
optional string literalAbsolute path to a certificate file used to identify this server.
The certificate must be in DER, PEM (X.509), or PKCS#12 format. Additionally, the certificate can be provided as an inline string in PEM format.
If this is set, and is not a PKCS#12 archive, key_file
must also be set.
tls.enabled
optional boolWhether or not to require TLS for incoming/outgoing connections.
When enabled and used for incoming connections, an identity certificate is also required. See tls.crt_file
for
more information.
false
tls.key_file
optional string literalAbsolute path to a private key file used to identify this server.
The key must be in DER or PEM (PKCS#8) format. Additionally, the key can be provided as an inline string in PEM format.
tls.key_pass
optional string literalPassphrase used to unlock the encrypted key file.
This has no effect unless key_file
is set.
tls.verify_certificate
optional boolEnables certificate verification.
If enabled, certificates must be valid in terms of not being expired, as well as being issued by a trusted issuer. This verification operates in a hierarchical manner, checking that not only the leaf certificate (the certificate presented by the client/server) is valid, but also that the issuer of that certificate is valid, and so on until reaching a root certificate.
Relevant for both incoming and outgoing connections.
Do NOT set this to false
unless you understand the risks of not verifying the validity of certificates.
false
token
common optional string literalAuthorization
header, just as a client would if it was communicating with the Splunk HEC endpoint directly. If not supplied, the Authorization
header will be ignored and requests will not be authenticated.valid_tokens
common optional [string]Authorization
header, just as a client would if it was communicating with the Splunk HEC endpoint directly. If not supplied, the Authorization
header will be ignored and requests will not be authenticated.Outputs
<component_id>
Output Data
Logs
Event
2019-02-13T19:48:34+00:00 [info] Started GET "/" for 127.0.0.1
splunk_hec
X-Splunk-Request-Channel
header or channel
query parameter, in that order of precedence.2020-10-10T17:07:36.452332Z
2020-10-10T17:07:36.452332Z
Telemetry
Metrics
linkcomponent_errors_total
countercomponent_id
instead. The value is the same as component_id
.component_received_bytes_total
countercomponent_id
instead. The value is the same as component_id
.component_received_event_bytes_total
countercomponent_id
instead. The value is the same as component_id
.component_received_events_total
countercomponent_id
instead. The value is the same as component_id
.component_sent_event_bytes_total
countercomponent_id
instead. The value is the same as component_id
.component_sent_events_total
countercomponent_id
instead. The value is the same as component_id
.events_in_total
countercomponent_received_events_total
instead.component_id
instead. The value is the same as component_id
.events_out_total
countercomponent_sent_events_total
instead.component_id
instead. The value is the same as component_id
.http_request_errors_total
counterrequests_received_total
countercomponent_id
instead. The value is the same as component_id
.source_lag_time_seconds
histogramcomponent_id
instead. The value is the same as component_id
.How it works
Indexer Acknowledgements
Transport Layer Security (TLS)
tls.*
options.