Use Observability Pipelines’ Splunk HTTP Event Collector (HEC) destination to send logs to Splunk HEC.

Setup

Set up the Splunk HEC destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.

Set up the destination

The following fields are optional:

1. Enter the name of the Splunk index you want your data in. This has to be an allowed index for your HEC.
2. Select whether the timestamp should be auto-extracted. If set to true, Splunk extracts the timestamp from the message with the expected format of yyyy-mm-dd hh:mm:ss.
3. Set the sourcetype to override Splunk’s default value, which is httpevent for HEC data.

Set the environment variables

• Splunk HEC token:
  • The Splunk HEC token for the Splunk indexer.
  • Stored in the environment variable DD_OP_DESTINATION_SPLUNK_HEC_TOKEN.
• Base URL of the Splunk instance:
  • The Splunk HTTP Event Collector endpoint your Observability Pipelines Worker sends processed logs to. For example, https://hec.splunkcloud.com:8088.
    Note: /services/collector/event path is automatically appended to the endpoint.
  • Stored in the environment variable DD_OP_DESTINATION_SPLUNK_HEC_ENDPOINT_URL.

How the destination works

Event batching

A batch of events is flushed when one of these parameters is met. See event batching for more information.