splunk-hec
Output events to a Splunk HTTP Event Collector endpoint (Splunk HEC)
| Field Name | Description | Type | Default |
|---|---|---|---|
| batch | Maximum number of events in an output batch. If 'document' send on end of document | integer or the 'document' | - |
| timeout | Interval after which the batch is sent, to keep throughput going | interval | 100ms |
| header | Put a header line before the batch | templated text | - |
| footer | Put a header line after the last line of the batch | templated text | - |
| use-document-marker | Enrich the pipe metadata with a document marker (for document handling in batch mode) | bool | false |
| retry | For operations that could potentially fail | Retry | - |
| url | The URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event) | url | - |
| insecure | Ignore TLS certificate validation errors (This is unsafe to use) | bool | false |
| event-field | If specified the field's contents will be submitted as the event payload to the endpoint | field | - |
| time-field | Use the specified field for the timestamp of the endpoint, should be in Unix epoch format | field | - |
| host | The value for the host metadata of the submitted event | string | - |
| host-field | Use the specified field's content as the value for the host metadata of the submitted event | field | - |
| source | The value for the source metadata of the submitted event | string | - |
| source-field | Use the specified field's content as the value for the source metadata of the submitted event | field | - |
| sourcetype | The value for the sourcetype metadata of the submitted event | string | - |
| sourcetype-field | Use the specified field's content as the value for the sourcetype metadata of the submitted event | field | - |
| hec-token | The token to be used for authentication | string | - |
| hec-token-field | Use the specified field's content as the token to be used for authentication | field | - |
batch
Maximum number of events in an output batch. If 'document' send on end of document
Type: integer or the 'document'
timeout
Interval after which the batch is sent, to keep throughput going
Type: interval
header
Put a header line before the batch
Type: templated text
footer
Put a header line after the last line of the batch
Type: templated text
use-document-marker
Enrich the pipe metadata with a document marker (for document handling in batch mode)
Type: bool
retry
For operations that could potentially fail
Type: Retry
| Field Name | Description | Type | Default |
|---|---|---|---|
| count | How many attempts to make before declaring failure | integer | - |
| pause | How long to pause before re-trying | duration | - |
| forever | Keep trying until success is declared | bool | false |
count
How many attempts to make before declaring failure
Type: integer
Example
action:
exec:
command: echo 'one two'
retry:
count: 1
output:
{"_raw":"one two"}
pause
How long to pause before re-trying
Accepts human-friendly formats, like 1m (for 1 minute) and 4h (for 4 hours)
Type: duration
Example
action:
exec:
command: echo 'one two'
retry:
count: 6
pause: 10s
output:
{"_raw":"one two"}
forever
Keep trying until success is declared
Accepts human-friendly formats, like 1m (for 1 minute) and 4h (for 4 hours)
Type: bool
Example
action:
exec:
command: echo 'one two'
retry:
forever: true
output:
{"_raw":"one two"}
url
The URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event)
Type: url
insecure
Ignore TLS certificate validation errors (This is unsafe to use)
Type: bool
event-field
If specified the field's contents will be submitted as the event payload to the endpoint
Type: field
time-field
Use the specified field for the timestamp of the endpoint, should be in Unix epoch format
Type: field
host
The value for the host metadata of the submitted event
Type: string
host-field
Use the specified field's content as the value for the host metadata of the submitted event
Type: field
source
The value for the source metadata of the submitted event
Type: string
source-field
Use the specified field's content as the value for the source metadata of the submitted event
Type: field
sourcetype
The value for the sourcetype metadata of the submitted event
Type: string
sourcetype-field
Use the specified field's content as the value for the sourcetype metadata of the submitted event
Type: field
hec-token
The token to be used for authentication
Type: string
hec-token-field
Use the specified field's content as the token to be used for authentication
Type: field