Output: splunk-hec
Output events to a Splunk HTTP Event Collector endpoint (Splunk HEC)
Field Summary
| Field Name | Type | Description | Default |
|---|---|---|---|
| batch | integer or the 'document' | Maximum number of events in an output batch. If 'document' send on end of document | - |
| timeout | interval | Interval after which the batch is sent, to keep throughput going | 100ms |
| header | templated text | Put a header line before the batch | - |
| footer | templated text | Put a header line after the last line of the batch | - |
| use-document-marker | bool | Enrich the pipe metadata with a document marker (for document handling in batch mode) | false |
| retry | Retry | For operations that could potentially fail | - |
| url | url | The URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event) | - |
| insecure | bool | Ignore TLS certificate validation errors (This is unsafe to use) | false |
| metrics | bool | Send a metrics formatted payload to the HEC endpoint | false |
| remove | bool | Consume (remove) fields from the event payload before submitting to the endpoint. Applicable to time-field, host-field, source-field, sourcetype-field, index-field and hec-token-field | false |
| event-field | field | If specified the field's contents will be submitted as the event payload to the endpoint | - |
| time-field | field | Use the specified field for the timestamp of the endpoint, should be in Unix epoch format | - |
| index | string | The value for the index metadata of the submitted event | - |
| index-field | field | Use the specified field's content as the value for the index metadata of the submitted event | - |
| host | string | The value for the host metadata of the submitted event | - |
| host-field | field | Use the specified field's content as the value for the host metadata of the submitted event | - |
| source | string | The value for the source metadata of the submitted event | - |
| source-field | field | Use the specified field's content as the value for the source metadata of the submitted event | - |
| sourcetype | string | The value for the sourcetype metadata of the submitted event | - |
| sourcetype-field | field | Use the specified field's content as the value for the sourcetype metadata of the submitted event | - |
| hec-token | string | The token to be used for authentication | - |
| hec-token-field | field | Use the specified field's content as the token to be used for authentication | - |
Fields
batch
Type: integer or the 'document'
Maximum number of events in an output batch. If 'document' send on end of document
timeout
Type: interval
Default: 100ms
Interval after which the batch is sent, to keep throughput going
header
Type: templated text
Put a header line before the batch
footer
Type: templated text
Put a header line after the last line of the batch
use-document-marker
Type: bool
Default: false
Enrich the pipe metadata with a document marker (for document handling in batch mode)
retry
Type: Retry
For operations that could potentially fail
| Field Name | Type | Description | Default |
|---|---|---|---|
| count | integer | How many attempts to make before declaring failure | - |
| pause | duration | How long to pause before re-trying | - |
| forever | bool | Keep trying until success is declared | false |
count
Type: integer
How many attempts to make before declaring failure
Example
Pipe Language Snippet:
exec:
command: echo 'one two'
retry:
count: 1
Output:
{"_raw":"one two"}
pause
Type: duration
How long to pause before re-trying
Accepts human-friendly formats, like 1m (for 1 minute) and 4h (for 4 hours)
Example
Pipe Language Snippet:
exec:
command: echo 'one two'
retry:
count: 6
pause: 10s
Output:
{"_raw":"one two"}
forever
Type: bool
Default: false
Keep trying until success is declared
Accepts human-friendly formats, like 1m (for 1 minute) and 4h (for 4 hours)
Example
Pipe Language Snippet:
exec:
command: echo 'one two'
retry:
forever: true
Output:
{"_raw":"one two"}
url
Type: url
The URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event)
insecure
Type: bool
Default: false
Ignore TLS certificate validation errors (This is unsafe to use)
metrics
Type: bool
Default: false
Send a metrics formatted payload to the HEC endpoint
remove
Type: bool
Default: false
Consume (remove) fields from the event payload before submitting to the endpoint. Applicable to time-field, host-field, source-field, sourcetype-field, index-field and hec-token-field
event-field
Type: field
Alias: event
If specified the field's contents will be submitted as the event payload to the endpoint
time-field
Type: field
Use the specified field for the timestamp of the endpoint, should be in Unix epoch format
index
Type: string
The value for the index metadata of the submitted event
index-field
Type: field
Use the specified field's content as the value for the index metadata of the submitted event
host
Type: string
The value for the host metadata of the submitted event
host-field
Type: field
Use the specified field's content as the value for the host metadata of the submitted event
source
Type: string
The value for the source metadata of the submitted event
source-field
Type: field
Use the specified field's content as the value for the source metadata of the submitted event
sourcetype
Type: string
The value for the sourcetype metadata of the submitted event
sourcetype-field
Type: field
Use the specified field's content as the value for the sourcetype metadata of the submitted event
hec-token
Type: string
The token to be used for authentication
hec-token-field
Type: field
Use the specified field's content as the token to be used for authentication