to_splunk

Version: v4.24
to_splunk
Sends events to a Splunk HTTP Event Collector (HEC).
to_splunk url:string, hec_token=string, [host=string, source=string, sourcetype=expr, index=expr, cacert=string, certfile=string, keyfile=string, skip_peer_verification=bool, print_nulls=bool, max_content_length=int, buffer_timeout=duration, compress=bool]
Description
The to_splunk operator sends events to a Splunk HTTP Event Collector (HEC).
The source type defaults to _json and the operator renders incoming events as JSON. You can specify a different source type via the sourcetype option.
The operator accumulates multiple events before sending them as a single message to the HEC endpoint. You can control the maximum message size via the max_content_length and the timeout before sending all accumulated events via the send_timeout option.
url: string
The address of the Splunk indexer.
hec_token = string
The HEC token for authentication.
host = string (optional)
An optional value for the Splunk host.
source = string (optional)
An optional value for the Splunk source.
sourcetype = expr (optional)
An optional expression for Splunk's sourcetype that evaluates to a string. You can use this to set the sourcetype per event, by providing a field instead of a string.
Regardless of the chosen sourcetype, the event itself is passed as a json object in event key of level object that is sent.
Defaults to _json.
index = expr (optional)
An optional expression for the Splunk index that evaluates to a string.
If you do not provide this option, Splunk will use the default index.
NB: HEC silently drops events with an invalid index.
cacert = string (optional)
Path to the CA certificate used to verify the server's certificate.
certfile = string (optional)
Path to the client certificate.
keyfile = string (optional)
Path to the key for the client certificate.
skip_peer_verification = bool (optional)
Toggles TLS certificate verification.
include_nulls = bool (optional)
Include fields with null values in the transmitted event data. By default, the operator drops all null values to save space.
max_content_length = int (optional)
The maximum size of the message uncompressed body in bytes. A message may consist of multiple events. If a single event is larger than this limit, it is dropped and a warning is emitted.
This corresponds with Splunk's max_content_length option. Be aware that Splunk Cloud has a default of 1MB for max_content_length.
Defaults to 5Mi.
buffer_timeout = duration (optional)
The maximum amount of time for which the operator accumulates messages before sending them out to the HEC endpoint as a single message.
Defaults to 5s.
compress = bool (optional)
Whether to compress the message body using standard gzip.
Defaults to true.
Examples
Send a JSON file to a HEC endpoint
load_file "example.json" read_json to_splunk "https://localhost:8088", hec_token="example-token-1234"
Edit this page

Description

`url: string`

`hec_token = string`

`host = string (optional)`

`source = string (optional)`

`sourcetype = expr (optional)`

`index = expr (optional)`

`cacert = string (optional)`

`certfile = string (optional)`

`keyfile = string (optional)`

`skip_peer_verification = bool (optional)`

`include_nulls = bool (optional)`

`max_content_length = int (optional)`

`buffer_timeout = duration (optional)`

`compress = bool (optional)`

Examples

Send a JSON file to a HEC endpoint

to_splunk

Description​

url: string​

hec_token = string​

host = string (optional)​

source = string (optional)​

sourcetype = expr (optional)​

index = expr (optional)​

cacert = string (optional)​

certfile = string (optional)​

keyfile = string (optional)​

skip_peer_verification = bool (optional)​

include_nulls = bool (optional)​

max_content_length = int (optional)​

buffer_timeout = duration (optional)​

compress = bool (optional)​

Examples​

Send a JSON file to a HEC endpoint​