Splunk HTTP Event Collector (HEC) Destination
Use Observability Pipelines’ Splunk HTTP Event Collector (HEC) destination to send logs to Splunk HEC.
Setup
Set up the Splunk HEC destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.
Set up the destination
The following fields are optional:
- Enter the name of the Splunk index you want your data in. This has to be an allowed index for your HEC.
- Select whether the timestamp should be auto-extracted. If set to
true, Splunk extracts the timestamp from the message with the expected format of yyyy-mm-dd hh:mm:ss. - Set the
sourcetype to override Splunk’s default value, which is httpevent for HEC data.
Set the environment variables
- Splunk HEC token:
- The Splunk HEC token for the Splunk indexer.
- Stored in the environment variable
DD_OP_DESTINATION_SPLUNK_HEC_TOKEN.
- Base URL of the Splunk instance:
- The Splunk HTTP Event Collector endpoint your Observability Pipelines Worker sends processed logs to. For example,
https://hec.splunkcloud.com:8088.
Note: /services/collector/event path is automatically appended to the endpoint. - Stored in the environment variable
DD_OP_DESTINATION_SPLUNK_HEC_ENDPOINT_URL.
How the destination works
Event batching
A batch of events is flushed when one of these parameters is met. See event batching for more information.
| Max Events | Max Bytes | Timeout (seconds) |
|---|
| None | 1,000,000 | 1 |
