Splunk HEC
Splunk HEC (splunk-hec)
Output events to a Splunk HTTP Event Collector endpoint (Splunk HEC).
Observability json
Minimal example
output: splunk-hec: hec-token: hec-token-value: ~ url: ""JSON
{ "output": { "splunk-hec": { "hec-token": { "hec-token-value": null }, "url": "" } }}Contents
Collector Options
Collector Options
| Field | Type | Required | Description |
|---|---|---|---|
hec-token | Hec Token | ✅ | Specify a value to use for the HEC Token or set it using an event field. Allowed values: hec-token-value, hec-token-field |
metrics ✓ | boolean (bool) | Send a metrics formatted payload to the HEC endpoint. Default: false | |
event-field | field (string) | If specified, the field’s contents will be submitted as the event payload to the endpoint. Examples: data_field | |
time-field | field (string) | Use the specified field for the timestamp of the endpoint. This should be in Unix epoch format. Examples: data_field | |
index | Index | Specify a value to use for the Splunk index or set it using an event field.Allowed values: index-value, index-field | |
host | Host | Specify a value to use for the Splunk host or set it using an event field.Allowed values: host-value, host-field | |
source | Source | Specify a value to use for the Splunk source or set it using an event field.Allowed values: source-value, source-field | |
sourcetype | Sourcetype | Specify a value to use for the Splunk sourcetype or set it using an event field.Allowed values: source-type-value, source-type-field | |
remove ✓ | boolean (bool) | Consume (remove) fields from the event payload before submitting to the endpoint. Applicable to time-field, host-field, source-field, sourcetype-field, index-field and hec-token-field. Default: false |
Endpoint
Endpoint
| Field | Type | Required | Description |
|---|---|---|---|
url | url (string) | ✅ | The URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event). Examples: https://example.com/path |
Processing
Processing
| Field | Type | Required | Description |
|---|---|---|---|
batch | Batch | Batching input events together. |
Reliability
Reliability
| Field | Type | Required | Description |
|---|---|---|---|
retry | Retry | How to retry this operation. |
Security
Security
| Field | Type | Required | Description |
|---|---|---|---|
insecure ✓ | boolean (bool) | Ignore TLS certificate validation errors (This is not recommended). Default: false | |
disable-preflight ✓ | boolean (bool) | Disable the Splunk HEC “preflight” verification request (not recommended). When enabled (default), LyftData performs a lightweight request to a derived HEC health URL before sending any event payloads, to reduce the risk of accidental misconfiguration sending sensitive data to a non-HEC endpoint. Default: false |
Schema
- Hec Token Options
- Index Options
- Host Options
- Source Options
- Sourcetype Options
- Batch Fields
- Retry Fields
- Batch - Mode Options
Hec Token Options
| Option | Name | Type | Description |
|---|---|---|---|
hec-token-value | Hec Token Value | string | |
hec-token-field | Hec Token Field | string | Examples: data_field |
Index Options
| Option | Name | Type | Description |
|---|---|---|---|
index-value | Index Value | string | |
index-field | Index Field | string | Examples: data_field |
Host Options
| Option | Name | Type | Description |
|---|---|---|---|
host-value | Host Value | string | |
host-field | Host Field | string | Examples: data_field |
Source Options
| Option | Name | Type | Description |
|---|---|---|---|
source-value | Source Value | string | |
source-field | Source Field | string | Examples: data_field |
Sourcetype Options
| Option | Name | Type | Description |
|---|---|---|---|
source-type-value | Source Type Value | string | |
source-type-field | Source Type Field | string | Examples: data_field |
Batch Fields
| Field | Type | Required | Description |
|---|---|---|---|
fixed-size ✓ | number (integer) | maximum number of events in an output batch. Examples: 42, 1.2e-10 | |
mode | Mode | ✅ | If ‘document’ send on end of document generated by input. If ‘fixed’, use fixed_size.Allowed values: fixed, document |
timeout | time-interval (string) | ✅ | interval after which the batch is sent, to keep throughput going (default 100ms). Default: 100msExamples: 500ms, 2h |
header | multiline-text (string) | put a header line before the batch. | |
footer | multiline-text (string) | put a header line after the last line of the batch. | |
use-document-marker ✓ | boolean (bool) | Enrich the job metadata with a document marker (for document handling in batch mode). Default: false | |
wrap-as-json ✓ | boolean (bool) | Format the output batch as a JSON array. Default: false |
Retry Fields
| Field | Type | Required | Description |
|---|---|---|---|
timeout | time-interval (string) | ✅ | timeout (e.g. 500ms, 2s etc. - default is 30). Examples: 500ms, 2h |
retries | number (integer) | number of retries. Examples: 42, 1.2e-10 |
Batch - Mode Options
| Value | Name | Description |
|---|---|---|
fixed | fixed | Fixed |
document | document | Document |