Splunk HEC
Configuration Options
Required Options
endpoint(required)
The base URL of the Splunk instance.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | ["https://http-inputs-hec.splunkcloud.com","https://hec.splunk.com:8088","http://example.com"] |
inputs(required)
A list of upstream source or transform
IDs. Wildcards (*) are supported.
See configuration for more info.
| Type | Syntax | Default | Example |
|---|---|---|---|
| array | literal | ["my-source-or-transform-id","prefix-*"] |
encoding(required)
Configures the encoding specific sink behavior.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | literal | [] |
token(required)
Your Splunk HEC token.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | ["${SPLUNK_HEC_TOKEN}","A94A8FE5CCB19BA61C4C08"] |
type(required)
The component type. This is a required field for all components and tells Vector which component to use.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | ["splunk_hec"] |
Advanced Options
host_key(optional)
The name of the log field to be used as the hostname sent to Splunk HEC. This overrides the
global host_key option.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | ["hostname"] |
index(optional)
The name of the index where send the events to. If not specified, the default index is used.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | template | ["{{ host }}","custom_index"] |
indexed_fields(optional)
Fields to be added to Splunk index.
| Type | Syntax | Default | Example |
|---|---|---|---|
| array | field_path | ["field1","field2"] |
source(optional)
The source of events sent to this sink. Typically the filename the logs originated from. If unset, the Splunk collector will set it.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | template | ["{{ file }}","/var/log/syslog","UDP:514"] |
sourcetype(optional)
The sourcetype of events sent to this sink. If unset, Splunk will default to httpevent.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | template | ["{{ sourcetype }}","_json","httpevent"] |
buffer(optional)
Configures the sink specific buffer behavior.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | literal | [] |
batch(optional)
Configures the sink batching behavior.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | [] |
compression(optional)
The compression strategy used to compress the encoded event data before transmission.
Some cloud storage API clients and browsers will handle decompression transparently, so files may not always appear to be compressed depending how they are accessed.
| Type | Syntax | Default | Example |
|---|---|---|---|
| string | literal | none |
healthcheck(optional)
Health check options for the sink.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | [] |
request(optional)
Configures the sink request behavior.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | [] |
tls(optional)
Configures the TLS options for incoming connections.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | literal | [] |
proxy(optional)
Configures an HTTP(S) proxy for Vector to use. By default, the globally configured proxy is used.
| Type | Syntax | Default | Example |
|---|---|---|---|
| hash | literal | [] |
How it Works
State
This component is stateless, meaning its behavior is consistent across each input.
Health checks
Health checks ensure that the downstream service is accessible and ready to accept data. This check is performed upon sink initialization. If the health check fails an error will be logged and Vector will proceed to start.
Partitioning
Vector supports dynamic configuration values through a simple template syntax. If an option supports templating, it will be noted with a badge and you can use event fields to create dynamic values. For example:
[sinks.my-sink]
dynamic_option = "application={{ application_id }}"
In the above example, the application_id for each event will be
used to partition outgoing data.
Rate limits & adapative concurrency
Transport Layer Security (TLS)
Buffers and batches
This component buffers & batches data as shown in the diagram above. You'll notice that Vector treats these concepts differently, instead of treating them as global concepts, Vector treats them as sink specific concepts. This isolates sinks, ensuring services disruptions are contained and delivery guarantees are honored.
Batches are flushed when 1 of 2 conditions are met:
- The batch age meets or exceeds the configured
timeout_secs. - The batch size meets or exceeds the configured
max_sizeormax_events.
Buffers are controlled via the buffer.* options.
Retry policy
Vector will retry failed requests (status == 429, >= 500, and != 501).
Other responses will not be retried. You can control the number of
retry attempts and backoff rate with the request.retry_attempts and
request.retry_backoff_secs options.