to_splunk
Sends events to a Splunk HTTP Event Collector (HEC).
to_splunk url:string, hec_token=string, [host=string, source=string, sourcetype=expr, index=expr, tls=bool, cacert=string, certfile=string, keyfile=string, skip_peer_verification=bool, print_nulls=bool, max_content_length=int, buffer_timeout=duration, compress=bool]Description
Section titled “Description”The to_splunk operator sends events to a Splunk HTTP Event Collector
(HEC).
The source type defaults to _json and the operator renders incoming events as
JSON. You can specify a different source type via the sourcetype option.
The operator accumulates multiple events before sending them as a single
message to the HEC endpoint. You can control the maximum message size via the
max_content_length and the timeout before sending all accumulated events via
the send_timeout option.
url: string
Section titled “url: string”The address of the Splunk indexer.
hec_token = string
Section titled “hec_token = string”The HEC token for authentication.
host = string (optional)
Section titled “host = string (optional)”An optional value for the Splunk host.
source = string (optional)
Section titled “source = string (optional)”An optional value for the Splunk source.
sourcetype = expr (optional)
Section titled “sourcetype = expr (optional)”An optional expression for Splunk’s
sourcetype that evaluates to a
string. You can use this to set the sourcetype per event, by providing a
field instead of a string.
Regardless of the chosen sourcetype, the event itself is passed as a json object
in event key of level object that is sent.
Defaults to _json.
index = expr (optional)
Section titled “index = expr (optional)”An optional expression for the Splunk
index that evaluates to a string.
If you do not provide this option, Splunk will use the default index.
NB: HEC silently drops events with an invalid index.
tls = bool (optional)
Section titled “tls = bool (optional)”Enables TLS.
Defaults totrue.
cacert = string (optional)
Section titled “cacert = string (optional)”Path to the CA certificate used to verify the server’s certificate.
Defaults to the Tenzir configuration value tenzir.cacert, which in turn
defaults to a common cacert location for the system.
certfile = string (optional)
Section titled “certfile = string (optional)”Path to the client certificate.
keyfile = string (optional)
Section titled “keyfile = string (optional)”Path to the key for the client certificate.
skip_peer_verification = bool (optional)
Section titled “skip_peer_verification = bool (optional)”Toggles TLS certificate verification.
Defaults to false.
include_nulls = bool (optional)
Section titled “include_nulls = bool (optional)”Include fields with null values in the transmitted event data. By default, the operator drops all null values to save space.
max_content_length = int (optional)
Section titled “max_content_length = int (optional)”The maximum size of the message uncompressed body in bytes. A message may consist of multiple events. If a single event is larger than this limit, it is dropped and a warning is emitted.
This corresponds with Splunk’s
max_content_length
option. Be aware that Splunk Cloud has a default of
1MB
for max_content_length.
Defaults to 5Mi.
buffer_timeout = duration (optional)
Section titled “buffer_timeout = duration (optional)”The maximum amount of time for which the operator accumulates messages before sending them out to the HEC endpoint as a single message.
Defaults to 5s.
compress = bool (optional)
Section titled “compress = bool (optional)”Whether to compress the message body using standard gzip.
Defaults to true.
Examples
Section titled “Examples”Send a JSON file to a HEC endpoint
Section titled “Send a JSON file to a HEC endpoint”load_file "example.json"read_jsonto_splunk "https://localhost:8088", hec_token="example-token-1234"