Splunk HEC Source

The Vector splunk_hec source ingests data through the Splunk HTTP Event Collector protocol and outputs log events.

Configuration

vector.toml
[sources.my_source_id]
# REQUIRED
type = "splunk_hec" # must be: "splunk_hec"
# OPTIONAL
address = "0.0.0.0:8088" # default
token = "A94A8FE5CCB19BA61C4C08" # example, no default

Options

2 items
commonstringrequired

address

The address to accept connections on.

Default: "0.0.0.0:8088"
View examples
commonstringoptional

token

If supplied, incoming requests must supply this token in the Authorization header, just as a client would if it was communicating with the Splunk HEC endpoint directly. If not supplied, the Authorization header will be ignored and requests will not be authenticated.

No default
View examples

Output

The splunk_hec source ingests data through the Splunk HTTP Event Collector protocol and outputs log events. For example:

Given the following input:

Hello world

A log event will be output with the following structure:

{
"timestamp": <2019-07-26T20:30:27.000443Z>, // time event was received,
"host": "my.host.com", // value of the `Host` header
"splunk_channel": "FE0ECFAD-13D5-401B-847D-77833BD77131" // value of the `X-Splunk-Request-Channel` header
}

More detail on the output schema is below.

3 items
stringrequired

message

The raw log message, unaltered.

No default
View examples
timestamprequired

splunk_channel

The Splunk channel, value of the X-Splunk-Request-Channel header.

No default
View examples
timestamprequired

timestamp

If the Splunk HEC event endpoint is used then the value of the time field will be used. If the Splunk HEC raw endpoint is used, then the current time the event was received will be used.

No default
View examples

How It Works

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.