Splunk HTTP Event Collector (HEC) Destination

Use Observability Pipelines’ Splunk HTTP Event Collector (HEC) destination to send logs to Splunk HEC.

Setup

Set up the Splunk HEC destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.

Set up the destination

The following fields are optional:

  1. Enter the name of the Splunk index you want your data in. This has to be an allowed index for your HEC. See template syntax if you want to route logs to different indexes based on specific fields in your logs.
  2. Select whether the timestamp should be auto-extracted. If set to true, Splunk extracts the timestamp from the message with the expected format of yyyy-mm-dd hh:mm:ss.
  3. Optionally, set the sourcetype to override Splunk’s default value, which is httpevent for HEC data. See template syntax if you want to route logs to different source types based on specific fields in your logs.

Set the environment variables

  • Splunk HEC token:
    • The Splunk HEC token for the Splunk indexer.
    • Stored in the environment variable DD_OP_DESTINATION_SPLUNK_HEC_TOKEN.
  • Base URL of the Splunk instance:
    • The Splunk HTTP Event Collector endpoint your Observability Pipelines Worker sends processed logs to. For example, https://hec.splunkcloud.com:8088.
      Note: /services/collector/event path is automatically appended to the endpoint.
    • Stored in the environment variable DD_OP_DESTINATION_SPLUNK_HEC_ENDPOINT_URL.

How the destination works

Event batching

A batch of events is flushed when one of these parameters is met. See event batching for more information.

Max EventsMax BytesTimeout (seconds)
None1,000,0001
PREVIEWING: domalessi/docs-10186