Splunk

    To get more details about how to setup the HEC in Splunk please refer to the following documentation: Splunk / Use the HTTP Event Collector

    Splunk output plugin supports TTL/SSL, for more details about the properties available and general configuration, please refer to the section.

    Getting Started

    In order to insert records into a Splunk service, you can run the plugin from the command line or through the configuration file:

    In your main configuration file append the following Input & Output sections:

    2.     Name  cpu
    4. [OUTPUT]
    5.     Name        splunk
    6.     Match       *
    7.     Host        127.0.0.1
    8.     Port        8088
    10.     TLS.Verify  Off
    11.     Message_Key my_key

    By default, the Splunk output plugin nests the record under the event key in the payload sent to the HEC. It will also append the time of the record to a top level time key.

    If you would like to customize any of the Splunk event metadata, such as the host or target index, you can set Splunk_Send_Raw On in the plugin configuration, and add the metadata as keys/values in the record. Note: with Splunk_Send_Raw enabled, you are responsible for creating and populating the event section of the payload.

    For example, to add a custom index and hostname:

    This will create a payload that looks like:

    2.     "index": "my-splunk-index",
    3.     "host": "my-host",
    4.     "event": {
    5.         "cpu_p":0.000000,
    6.         "user_p":0.000000,
    7.         "system_p":0.000000
    8.     }
    9. }

    If the option has been enabled, the user must take care to put all log details in the event field, and only specify fields known to Splunk in the top level event, if there is a mismatch, Splunk will return a HTTP error 400.

    Consider the following example:

    splunk_send_raw off

    splunk_send_raw on

      For up to date information about the valid keys in the top level object, refer to the Splunk documentation: