Skip to main content
Version: 3.5.2

Output: splunk-hec

Output events to a Splunk HTTP Event Collector endpoint (Splunk HEC)

Field Summary

Field NameTypeDescriptionDefault
batchinteger or the 'document'Maximum number of events in an output batch. If 'document' send on end of document-
timeoutintervalInterval after which the batch is sent, to keep throughput going100ms
headertemplated textPut a header line before the batch-
footertemplated textPut a header line after the last line of the batch-
use-document-markerboolEnrich the pipe metadata with a document marker (for document handling in batch mode)false
retryRetryFor operations that could potentially fail-
urlurlThe URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event)-
insecureboolIgnore TLS certificate validation errors (This is unsafe to use)false
metricsboolSend a metrics formatted payload to the HEC endpointfalse
removeboolConsume (remove) fields from the event payload before submitting to the endpoint. Applicable to time-field, host-field, source-field, sourcetype-field, index-field and hec-token-fieldfalse
event-fieldfieldIf specified the field's contents will be submitted as the event payload to the endpoint-
time-fieldfieldUse the specified field for the timestamp of the endpoint, should be in Unix epoch format-
indexstringThe value for the index metadata of the submitted event-
index-fieldfieldUse the specified field's content as the value for the index metadata of the submitted event-
hoststringThe value for the host metadata of the submitted event-
host-fieldfieldUse the specified field's content as the value for the host metadata of the submitted event-
sourcestringThe value for the source metadata of the submitted event-
source-fieldfieldUse the specified field's content as the value for the source metadata of the submitted event-
sourcetypestringThe value for the sourcetype metadata of the submitted event-
sourcetype-fieldfieldUse the specified field's content as the value for the sourcetype metadata of the submitted event-
hec-tokenstringThe token to be used for authentication-
hec-token-fieldfieldUse the specified field's content as the token to be used for authentication-

Fields

batch

Type: integer or the 'document'

Maximum number of events in an output batch. If 'document' send on end of document

timeout

Type: interval

Default: 100ms

Interval after which the batch is sent, to keep throughput going

Type: templated text

Put a header line before the batch

Type: templated text

Put a header line after the last line of the batch

use-document-marker

Type: bool

Default: false

Enrich the pipe metadata with a document marker (for document handling in batch mode)

retry

Type: Retry

For operations that could potentially fail

Field NameTypeDescriptionDefault
countintegerHow many attempts to make before declaring failure-
pausedurationHow long to pause before re-trying-
foreverboolKeep trying until success is declaredfalse

  count

Type: integer

How many attempts to make before declaring failure

Example

Pipe Language Snippet:

exec:
command: echo 'one two'
retry:
count: 1

Output:

{"_raw":"one two"}

  pause

Type: duration

How long to pause before re-trying

Accepts human-friendly formats, like 1m (for 1 minute) and 4h (for 4 hours)

Example

Pipe Language Snippet:

exec:
command: echo 'one two'
retry:
count: 6
pause: 10s

Output:

{"_raw":"one two"}

  forever

Type: bool

Default: false

Keep trying until success is declared

Accepts human-friendly formats, like 1m (for 1 minute) and 4h (for 4 hours)

Example

Pipe Language Snippet:

exec:
command: echo 'one two'
retry:
forever: true

Output:

{"_raw":"one two"}

url

Type: url

The URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event)

insecure

Type: bool

Default: false

Ignore TLS certificate validation errors (This is unsafe to use)

metrics

Type: bool

Default: false

Send a metrics formatted payload to the HEC endpoint

remove

Type: bool

Default: false

Consume (remove) fields from the event payload before submitting to the endpoint. Applicable to time-field, host-field, source-field, sourcetype-field, index-field and hec-token-field

event-field

Type: field
Alias: event

If specified the field's contents will be submitted as the event payload to the endpoint

time-field

Type: field

Use the specified field for the timestamp of the endpoint, should be in Unix epoch format

index

Type: string

The value for the index metadata of the submitted event

index-field

Type: field

Use the specified field's content as the value for the index metadata of the submitted event

host

Type: string

The value for the host metadata of the submitted event

host-field

Type: field

Use the specified field's content as the value for the host metadata of the submitted event

source

Type: string

The value for the source metadata of the submitted event

source-field

Type: field

Use the specified field's content as the value for the source metadata of the submitted event

sourcetype

Type: string

The value for the sourcetype metadata of the submitted event

sourcetype-field

Type: field

Use the specified field's content as the value for the sourcetype metadata of the submitted event

hec-token

Type: string

The token to be used for authentication

hec-token-field

Type: field

Use the specified field's content as the token to be used for authentication