--- title: Splunk HTTP Event Collector (HEC) Source description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Observability Pipelines > Sources > Splunk HTTP Event Collector (HEC) Source --- # Splunk HTTP Event Collector (HEC) Source {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} Available for: {% icon name="icon-logs" /%} Logs ## Overview{% #overview %} Use Observability Pipelines' Splunk HTTP Event Collector (HEC) source to receive logs from your Splunk HEC. **Note**: Use the Splunk HEC source if you want to send logs from the Splunk Distribution of the OpenTelemetry Collector to Observability Pipelines. ## Prerequisites{% #prerequisites %} To use Observability Pipelines' Splunk HTTP Event Collector (HEC) source, you have applications sending data to Splunk in the [expected HEC format](https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector). To use Observability Pipelines' Splunk HEC destination, you have a Splunk Enterprise or Cloud instance configured with an HTTP Event Collector (HEC) input. You also have the following information available: - The Splunk HEC token. - The bind address that your Observability Pipelines Worker will listen on to receive logs from your applications. For example, `0.0.0.0:8080`. Later on, you configure your applications to send logs to this address. - The base URL of the Splunk instance that the Worker will send processed logs to. This URL should include the port that is globally configured for Splunk HTTP Event Collectors on your Splunk instance. For example, for Splunk Cloud: `https://prd-p-0mupp.splunkcloud.com:8088`. - If your HECs are globally configured to enable SSL, then you also need the appropriate [TLS certificates](https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/StepstosecuringSplunkwithTLS#2._Obtain_the_certificates_that_you_need_to_secure_your_Splunk_platform_deployment) and password you used to create your private key file. See [Configure HTTP Event Collector on Splunk Web](https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector) for more information about setting up Splunk HEC. **Note**: Observability Pipelines does not support HEC Indexer Acknowledgement. ## Setup{% #setup %} Set up this source when you [set up a pipeline](https://docs.datadoghq.com/observability_pipelines/configuration/set_up_pipelines/). You can set up a pipeline in the [UI](https://app.datadoghq.com/observability-pipelines), using the [API](https://docs.datadoghq.com/api/latest/observability-pipelines/), or with [Terraform](https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/observability_pipeline). The instructions in this section are for setting up the source in the UI. {% alert level="danger" %} Only enter the identifiers for the Splunk HEC address and, if applicable, the TLS key pass. Do not enter the actual values. {% /alert %} - Enter the identifier for your Splunk HEC address. If you leave it blank, the default is used. ### Optional TLS settings{% #optional-tls-settings %} Toggle the switch to **Enable TLS**. - If you are using Secrets Management, enter the identifier for the key pass. See Set secrets for the default used if the field is left blank. - The following certificate and key files are required: - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER, PEM, or CRT (X.509). - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) root file in DER, PEM, or CRT (X.509). - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER, PEM, or CRT (PKCS #8) format. - **Notes**: - The configuration data directory `/var/lib/observability-pipelines-worker/config/` is automatically appended to the file paths. See [Advanced Worker Configurations](https://docs.datadoghq.com/observability_pipelines/configuration/install_the_worker/advanced_worker_configurations/) for more information. - The file must be readable by the `observability-pipelines-worker` group and user. ## Set secrets{% #set-secrets %} These are the defaults used for secret identifiers and environment variables. **Note**: If you enter secret identifiers and then choose to use environment variables, the environment variable is the identifier entered and prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for a password identifier, the environment variable for that password is `DD_OP_PASSWORD_1`. {% tab title="Secrets Management" %} - Splunk HEC address identifier: - References the bind address, such as `0.0.0.0:8088`, on which your Observability Pipelines Worker listens to receive logs originally intended for the Splunk indexer. - The default identifier is `SOURCE_SPLUNK_HEC_ADDRESS`. - Splunk HEC TLS passphrase identifier (when TLS is enabled): - The default identifier is `SOURCE_SPLUNK_HEC_KEY_PASS`. {% /tab %} {% tab title="Environment Variables" %} - Splunk HEC address: - The bind address that your Observability Pipelines Worker listens on to receive logs originally intended for the Splunk indexer. For example, `0.0.0.0:8088`**Note**: `/services/collector/event` is automatically appended to the endpoint. - The default environment variable is `DD_OP_SOURCE_SPLUNK_HEC_ADDRESS`. - Splunk HEC TLS passphrase (when enabled): - The default environment variable is `DD_OP_SOURCE_SPLUNK_HEC_KEY_PASS`. {% /tab %} ## Send logs to the Observability Pipelines Worker over Splunk HEC{% #send-logs-to-the-observability-pipelines-worker-over-splunk-hec %} After you install the Observability Pipelines Worker and deploy the configuration, the Worker exposes three HTTP endpoints that uses the [Splunk HEC API](https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/UsetheHTTPEventCollector): - `/services/collector/event` - `/services/collector/raw` - `/services/collector/health` To send logs to your Splunk index, you must point your existing logs upstream to the Worker. ```shell curl http://:8088/services/collector/event \ -d '{"event": {"a": "value1", "b": ["value1_1", "value1_2"]}}' ``` `` is the IP/URL of the host (or load balancer) associated with the Observability Pipelines Worker. For CloudFormation installs, the `LoadBalancerDNS` CloudFormation output has the correct URL to use. For Kubernetes installs, the internal DNS record of the Observability Pipelines Worker service can be used, for example `opw-observability-pipelines-worker.default.svc.cluster.local`. At this point, your logs should be going to the Worker, processed by the pipeline, and delivered to the configured destination. ## Send logs from the Splunk Distribution of the OpenTelemetry Collector to Observability Pipelines{% #send-logs-from-the-splunk-distribution-of-the-opentelemetry-collector-to-observability-pipelines %} To send logs from the Splunk Distribution of the OpenTelemetry Collector: 1. Install the Splunk OpenTelemetry Collector based on your environment: - [Kubernetes](https://help.splunk.com/en/splunk-observability-cloud/manage-data/splunk-distribution-of-the-opentelemetry-collector/get-started-with-the-splunk-distribution-of-the-opentelemetry-collector/collector-for-kubernetes) - [Linux](https://help.splunk.com/en/splunk-observability-cloud/manage-data/splunk-distribution-of-the-opentelemetry-collector/get-started-with-the-splunk-distribution-of-the-opentelemetry-collector/collector-for-linux) 1. [Set up a pipeline](https://docs.datadoghq.com/observability_pipelines/configuration/set_up_pipelines) using the Splunk HEC source. 1. Configure the Splunk OpenTelemetry Collector: ```bash cp /etc/otel/collector/splunk-otel-collector.conf.example etc/otel/collector/splunk-otel-collector.conf ``` ```bash # Splunk HEC endpoint URL, if forwarding to Splunk Observability Cloud # SPLUNK_HEC_URL=https://ingest.us0.signalfx.com/v1/log # If you're forwarding to a Splunk Enterprise instance running on example.com, with HEC at port 8088: SPLUNK_HEC_URL=http://:8088/services/collector ``` - `` is the IP or URL of the host (or load balancer) associated with the Observability Pipelines Worker. - For CloudFormation installs, the `LoadBalancerDNS` CloudFormation output has the correct URL to use. - For Kubernetes installs, the internal DNS record of the Observability Pipelines Worker service can be used, for example `opw-observability-pipelines-worker.default.svc.cluster.local`. **Note**: If you are using a firewall, make sure your firewall allows traffic from the Splunk OpenTelemetry Collector to the Worker.