Skip to main content
Version: 3.4.0

splunk-hec

Output events to a Splunk HTTP Event Collector endpoint (Splunk HEC)

Field NameDescriptionTypeDefault
batchMaximum number of events in an output batch. If 'document' send on end of documentinteger or the 'document'-
timeoutInterval after which the batch is sent, to keep throughput goinginterval100ms
headerPut a header line before the batchtemplated text-
footerPut a header line after the last line of the batchtemplated text-
use-document-markerEnrich the pipe metadata with a document marker (for document handling in batch mode)boolfalse
retryFor operations that could potentially failRetry-
urlThe URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event)url-
insecureIgnore TLS certificate validation errors (This is unsafe to use)boolfalse
event-fieldIf specified the field's contents will be submitted as the event payload to the endpointfield-
time-fieldUse the specified field for the timestamp of the endpoint, should be in Unix epoch formatfield-
hostThe value for the host metadata of the submitted eventstring-
host-fieldUse the specified field's content as the value for the host metadata of the submitted eventfield-
sourceThe value for the source metadata of the submitted eventstring-
source-fieldUse the specified field's content as the value for the source metadata of the submitted eventfield-
sourcetypeThe value for the sourcetype metadata of the submitted eventstring-
sourcetype-fieldUse the specified field's content as the value for the sourcetype metadata of the submitted eventfield-
hec-tokenThe token to be used for authenticationstring-
hec-token-fieldUse the specified field's content as the token to be used for authenticationfield-

batch

Maximum number of events in an output batch. If 'document' send on end of document

Type: integer or the 'document'

timeout

Interval after which the batch is sent, to keep throughput going

Type: interval

Put a header line before the batch

Type: templated text

Put a header line after the last line of the batch

Type: templated text

use-document-marker

Enrich the pipe metadata with a document marker (for document handling in batch mode)

Type: bool

retry

For operations that could potentially fail

Type: Retry

Field NameDescriptionTypeDefault
countHow many attempts to make before declaring failureinteger-
pauseHow long to pause before re-tryingduration-
foreverKeep trying until success is declaredboolfalse

count

How many attempts to make before declaring failure

Type: integer

Example

action:

exec:
command: echo 'one two'
retry:
count: 1

output:

{"_raw":"one two"}

pause

How long to pause before re-trying

Accepts human-friendly formats, like 1m (for 1 minute) and 4h (for 4 hours)

Type: duration

Example

action:

exec:
command: echo 'one two'
retry:
count: 6
pause: 10s

output:

{"_raw":"one two"}

forever

Keep trying until success is declared

Accepts human-friendly formats, like 1m (for 1 minute) and 4h (for 4 hours)

Type: bool

Example

action:

exec:
command: echo 'one two'
retry:
forever: true

output:

{"_raw":"one two"}

url

The URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event)

Type: url

insecure

Ignore TLS certificate validation errors (This is unsafe to use)

Type: bool

event-field

If specified the field's contents will be submitted as the event payload to the endpoint

Type: field

time-field

Use the specified field for the timestamp of the endpoint, should be in Unix epoch format

Type: field

host

The value for the host metadata of the submitted event

Type: string

host-field

Use the specified field's content as the value for the host metadata of the submitted event

Type: field

source

The value for the source metadata of the submitted event

Type: string

source-field

Use the specified field's content as the value for the source metadata of the submitted event

Type: field

sourcetype

The value for the sourcetype metadata of the submitted event

Type: string

sourcetype-field

Use the specified field's content as the value for the sourcetype metadata of the submitted event

Type: field

hec-token

The token to be used for authentication

Type: string

hec-token-field

Use the specified field's content as the token to be used for authentication

Type: field