Splunk via Hec output plugin for Fluentd 🔗︎

Overview 🔗︎

More info at https://github.com/splunk/fluent-plugin-splunk-hec

Example output configurations 🔗︎

spec:
  SplunkHec:
    host: splunk.default.svc.cluster.local
    port: 8088
    protocol: http

Configuration 🔗︎

SplunkHecOutput 🔗︎

SplunkHecOutput sends your logs to Splunk via Hec 🔗︎

Variable NameTypeRequiredDefaultDescription
data_typestringNoeventThe type of data that will be sent to Sumo Logic, either event or metric
hec_hoststringYes-You can specify SplunkHec host by this parameter.
hec_portintNo8088The port number for the Hec token or the Hec load balancer.
protocolstringNohttpsThis is the protocol to use for calling the Hec API. Available values are: http, https.
hec_token*secret.SecretYes-Identifier for the Hec token.
Secret
metrics_from_event*boolNo-When data_type is set to “metric”, the ingest API will treat every key-value pair in the input event as a metric name-value pair. Set metrics_from_event to false to disable this behavior and use metric_name_key and metric_value_key to define metrics. (Default:true)
metrics_name_keystringNotrueField name that contains the metric name. This parameter only works in conjunction with the metrics_from_event parameter. When this prameter is set, the metrics_from_event parameter is automatically set to false.
metrics_value_keystringNo-Field name that contains the metric value, this parameter is required when metric_name_key is configured.
coerce_to_utf8*boolNotrueIndicates whether to allow non-UTF-8 characters in user logs. If set to true, any non-UTF-8 character is replaced by the string specified in non_utf8_replacement_string. If set to false, the Ingest API errors out any non-UTF-8 characters. .
non_utf8_replacement_stringstringNo' 'If coerce_to_utf8 is set to true, any non-UTF-8 character is replaced by the string you specify in this parameter. .
indexstringNo-Identifier for the Splunk index to be used for indexing events. If this parameter is not set, the indexer is chosen by HEC. Cannot set both index and index_key parameters at the same time.
index_keystringNo-The field name that contains the Splunk index name. Cannot set both index and index_key parameters at the same time.
hoststringNo-The host location for events. Cannot set both host and host_key parameters at the same time. (Default:hostname)
host_keystringNo-Key for the host location. Cannot set both host and host_key parameters at the same time.
sourcestringNo-The source field for events. If this parameter is not set, the source will be decided by HEC. Cannot set both source and source_key parameters at the same time.
source_keystringNo-Field name to contain source. Cannot set both source and source_key parameters at the same time.
sourcetypestringNo-The sourcetype field for events. When not set, the sourcetype is decided by HEC. Cannot set both source and source_key parameters at the same time.
sourcetype_keystringNo-Field name that contains the sourcetype. Cannot set both source and source_key parameters at the same time.
keep_keysboolNo-By default, all the fields used by the *_key parameters are removed from the original input events. To change this behavior, set this parameter to true. This parameter is set to false by default. When set to true, all fields defined in index_key, host_key, source_key, sourcetype_key, metric_name_key, and metric_value_key are saved in the original event.
idle_timeoutintNo-If a connection has not been used for this number of seconds it will automatically be reset upon the next use to avoid attempting to send to a closed connection. nil means no timeout.
read_timeoutintNo-The amount of time allowed between reading two chunks from the socket.
open_timeoutintNo-The amount of time to wait for a connection to be opened.
client_certstringNo-The path to a file containing a PEM-format CA certificate for this client.
client_keystringNo-The private key for this client.‘
ca_filestringNo-The path to a file containing a PEM-format CA certificate.
ca_pathstringNo-The path to a directory containing CA certificates in PEM format.
ssl_ciphersstringNo-List of SSL ciphers allowed.
insecure_ssl*boolNofalseIndicates if insecure SSL connection is allowed
fieldsmap[string]stringNo-In this case, parameters inside are used as indexed fields and removed from the original input events
format*FormatNo-Format
buffer*BufferNo-Buffer