Splunk HTTP Event Collector (HEC) Destination
This product is not supported for your selected
Datadog site. (
).
Use Observability Pipelines’ Splunk HTTP Event Collector (HEC) destination to send logs to Splunk HEC.
Setup
Set up the Splunk HEC destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.
Set up the destination
Observability Pipelines compresses logs with the gzip (level 6) algorithm.
The following fields are optional:
- Enter the name of the Splunk index you want your data in. This has to be an allowed index for your HEC. See template syntax if you want to route logs to different indexes based on specific fields in your logs.
- Select whether the timestamp should be auto-extracted. If set to
true, Splunk extracts the timestamp from the message with the expected format of yyyy-mm-dd hh:mm:ss. - Optionally, set the
sourcetype to override Splunk’s default value, which is httpevent for HEC data. See template syntax if you want to route logs to different source types based on specific fields in your logs. - Optionally, toggle the switch to enable Buffering Options. Enable a configurable buffer on your destination to ensure intermittent latency or an outage at the destination doesn’t create immediate backpressure, and allow events to continue to be ingested from your source. Disk buffers can also increase pipeline durability by writing logs to disk, ensuring buffered logs persist through a Worker restart. See Configurable buffers for destinations for more information.
- If left unconfigured, your destination uses a memory buffer with a capacity of 500 events.
- To configure a buffer on your destination:
- Select the buffer type you want to set (Memory or Disk).
- Enter the buffer size and select the unit.
- Maximum memory buffer size is 128 GB.
- Maximum disk buffer size is 500 GB.
Set the environment variables
- Splunk HEC token:
- The Splunk HEC token for the Splunk indexer. Note: Depending on your shell and environment, you may not want to wrap your environment variable in quotes.
- Stored in the environment variable
DD_OP_DESTINATION_SPLUNK_HEC_TOKEN.
- Base URL of the Splunk instance:
- The Splunk HTTP Event Collector endpoint your Observability Pipelines Worker sends processed logs to. For example,
https://hec.splunkcloud.com:8088.
Note: /services/collector/event path is automatically appended to the endpoint. - Stored in the environment variable
DD_OP_DESTINATION_SPLUNK_HEC_ENDPOINT_URL.
How the destination works
Event batching
A batch of events is flushed when one of these parameters is met. See event batching for more information.
| Max Events | Max Bytes | Timeout (seconds) |
|---|
| None | 1,000,000 | 1 |
