Splunk HEC (splunk-hec)
Output events to a Splunk HTTP Event Collector endpoint (Splunk HEC).
Observability json
Minimal example
JSON
Contents
Fields
| Field | Type | Required | Description |
|---|
url Endpoint | url (string) | ✅ | The URL of the Splunk HEC instance (example: https://127.0.0.1:8088/services/collector/event).
Examples: https://example.com/path |
hec-token Collector Options | Hec Token | ✅ | Specify a value to use for the HEC Token or set it using an event field. |
batch Processing | Batch | | Batching input events together. |
retry Reliability | Retry | | How to retry this operation. |
insecure Security | boolean (bool) | | Ignore TLS certificate validation errors (This is not recommended). |
metrics Collector Options | boolean (bool) | | Send a metrics formatted payload to the HEC endpoint. |
event-field Collector Options | field (string) | | If specified, the field’s contents will be submitted as the event payload to the endpoint.
Examples: data_field |
time-field Collector Options | field (string) | | Use the specified field for the timestamp of the endpoint. This should be in Unix epoch format.
Examples: data_field |
index Collector Options | Index | | Specify a value to use for the Splunk index or set it using an event field. |
host Collector Options | Host | | Specify a value to use for the Splunk host or set it using an event field. |
source Collector Options | Source | | Specify a value to use for the Splunk source or set it using an event field. |
sourcetype Collector Options | Sourcetype | | Specify a value to use for the Splunk sourcetype or set it using an event field. |
remove Collector Options | boolean (bool) | | Consume (remove) fields from the event payload before submitting to the endpoint. Applicable to time-field, host-field, source-field, sourcetype-field, index-field and hec-token-field. |
disable-preflight Security | boolean (bool) | | Disable the Splunk HEC “preflight” verification request (not recommended). When enabled (default), LyftData performs a lightweight request to a derived HEC health URL before sending any event payloads, to reduce the risk of accidental misconfiguration sending sensitive data to a non-HEC endpoint. |
Processing
Show fields
| Field | Type | Required | Description |
|---|
batch | Batch | | Batching input events together. |
Reliability
Show fields
| Field | Type | Required | Description |
|---|
retry | Retry | | How to retry this operation. |
Endpoint
Show fields
Collector Options
Show fields
| Field | Type | Required | Description |
|---|
hec-token | Hec Token | ✅ | Specify a value to use for the HEC Token or set it using an event field. |
metrics | boolean (bool) | | Send a metrics formatted payload to the HEC endpoint. |
event-field | field (string) | | If specified, the field’s contents will be submitted as the event payload to the endpoint.
Examples: data_field |
time-field | field (string) | | Use the specified field for the timestamp of the endpoint. This should be in Unix epoch format.
Examples: data_field |
index | Index | | Specify a value to use for the Splunk index or set it using an event field. |
host | Host | | Specify a value to use for the Splunk host or set it using an event field. |
source | Source | | Specify a value to use for the Splunk source or set it using an event field. |
sourcetype | Sourcetype | | Specify a value to use for the Splunk sourcetype or set it using an event field. |
remove | boolean (bool) | | Consume (remove) fields from the event payload before submitting to the endpoint. Applicable to time-field, host-field, source-field, sourcetype-field, index-field and hec-token-field. |
Security
Show fields
| Field | Type | Required | Description |
|---|
insecure | boolean (bool) | | Ignore TLS certificate validation errors (This is not recommended). |
disable-preflight | boolean (bool) | | Disable the Splunk HEC “preflight” verification request (not recommended). When enabled (default), LyftData performs a lightweight request to a derived HEC health URL before sending any event payloads, to reduce the risk of accidental misconfiguration sending sensitive data to a non-HEC endpoint. |
Schema
Hec Token Options
| Option | Name | Type | Description |
|---|
hec-token-value | Hec Token Value | string | |
hec-token-field | Hec Token Field | string | |
Index Options
| Option | Name | Type | Description |
|---|
index-value | Index Value | string | |
index-field | Index Field | string | |
Host Options
| Option | Name | Type | Description |
|---|
host-value | Host Value | string | |
host-field | Host Field | string | |
Source Options
| Option | Name | Type | Description |
|---|
source-value | Source Value | string | |
source-field | Source Field | string | |
Sourcetype Options
| Option | Name | Type | Description |
|---|
source-type-value | Source Type Value | string | |
source-type-field | Source Type Field | string | |
Batch Fields
| Field | Type | Required | Description |
|---|
fixed-size | number (integer) | | maximum number of events in an output batch.
Examples: 42, 1.2e-10 |
mode | Mode | ✅ | If ‘document’ send on end of document generated by input. If ‘fixed’, use fixed_size.
Allowed values: fixed, document |
timeout | time-interval (string) | ✅ | interval after which the batch is sent, to keep throughput going (default 100ms).
Examples: 500ms, 2h |
header | multiline-text (string) | | put a header line before the batch. |
footer | multiline-text (string) | | put a header line after the last line of the batch. |
use-document-marker | boolean (bool) | | Enrich the job metadata with a document marker (for document handling in batch mode). |
wrap-as-json | boolean (bool) | | Format the output batch as a JSON array. |
Retry Fields
| Field | Type | Required | Description |
|---|
timeout | time-interval (string) | ✅ | timeout (e.g. 500ms, 2s etc. - default is 30).
Examples: 500ms, 2h |
retries | number (integer) | | number of retries.
Examples: 42, 1.2e-10 |
Batch - Mode Options
| Value | Description |
|---|
fixed | Fixed |
document | Document |