Splunk HEC

Experimental Observability

Synopsis

Creates a Splunk HTTP Event Collector (HEC) target that sends events to one or more Splunk instances.

Schema

name: <string>
description: <string>
type: splunk
tags: <string[]>
pipelines: <pipeline[]>
status: <boolean>
properties:
  endpoints:
    - endpoint: <string>
      auth_type: <string>
      token: <string>
      secret: <string>
  index: <string>
  source_type: <string>
  batch_size: <numeric>
  timeout: <numeric>
  tcp_routing: <boolean>
  compression: <boolean>
  insecure_skip_verify: <boolean>
  format: <string>

Configuration

The following are the minimum requirements to define the target.

Field	Required	Default	Description
`name`	Y		Target name
`description`	N	-	Optional description
`type`	Y		Must be `splunk`
`pipelines`	N	-	Optional post-processor pipelines
`status`	N	`true`	Enable/disable the target

Endpoint

Field	Required	Default	Description
`endpoint`	Y	-	Splunk HEC endpoint URL
`auth_type`	N	`token`	Authentication type: `token` or `secret`
`token`	N	-	HEC token when using token auth
`secret`	N	-	Bearer token when using secret auth

Event

Field	Required	Default	Description
`index`	N	-	Default Splunk index
`source_type`	N	-	Default sourcetype for events
`batch_size`	N	10000	Number of events to batch before sending
`timeout`	N	30	Connection timeout in seconds

Connection

Field	Required	Default	Description
`tcp_routing`	N	`false`	Enable TCP routing header
`use_compression`	N	`true`	Enable gzip compression
`insecure_skip_verify`	N	`false`	Skip TLS certificate verification
`format`	N	`cim`	Event format normalization (`cim`, `ecs`, `asim`, `cef`, `leef`, `csl`)

Details

The target supports multiple authentication methods, batching, compression, and automatic failover between endpoints.

Events are automatically batched and compressed by default for optimal performance. Failover between endpoints is handled automatically if multiple endpoints are configured.

Examples

Basic

Send events to a single HEC endpoint...

name: basic_splunk
type: splunk
properties:
  endpoints:
    - endpoint: "https://splunk.example.com:8088/services/collector"
      auth_type: token
      token: "YOUR-HEC-TOKEN"
  index: "main"
  source_type: "vmetric"

Multiple Endpoints

Configure failover endpoints...

name: ha_splunk
type: splunk
properties:
  endpoints:
    - endpoint: "https://splunk1.example.com:8088/services/collector"
      auth_type: token
      token: "PRIMARY-TOKEN"
    - endpoint: "https://splunk2.example.com:8088/services/collector"
      auth_type: token
      token: "BACKUP-TOKEN"
  index: "main"
  source_type: "vmetric"
  batch_size: 5000

High-Volume

Configure for high throughput...

name: perf_splunk
type: splunk
properties:
  endpoints:
    - endpoint: "https://splunk.example.com:8088/services/collector"
      auth_type: token
      token: "YOUR-HEC-TOKEN"
  index: "metrics"
  source_type: "vmetric"
  batch_size: 20000
  timeout: 60
  compression: true
  tcp_routing: true

Secure

Using secret-based auth and TLS verification...

name: secure_splunk
type: splunk
properties:
  endpoints:
    - endpoint: "https://splunk.example.com:8088/services/collector"
      auth_type: secret
      secret: "YOUR-BEARER-TOKEN"
  index: "secure"
  source_type: "vmetric"
  insecure_skip_verify: false
  compression: true

warning

Ensure your HEC tokens have the appropriate permissions and indexes enabled in Splunk. Invalid tokens or insufficient permissions will result in ingestion failures.

Synopsis​

Schema​

Configuration​

Endpoint​

Event​

Connection​

Details​

Examples​

Basic​

Multiple Endpoints​

High-Volume​

Secure​