# Splunk {% hint style="info" %} The Splunk output is currently a *technology preview*. The design and implementation are less mature than stable features and subject to change. {% endhint %} The Splunk HEC output can be used to send records to [Splunk Enterprise](https://www.splunk.com/en_us/software/splunk-enterprise.html) or [Splunk Cloud Platform](https://www.splunk.com/en_us/software/splunk-cloud-platform.html) via the [HTTP Event Collector](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector). ## EF\_OUTPUT\_SPLUNK\_HEC\_ENABLE Specifies whether the Splunk output is enabled. * Valid Values * `true`, `false` * Default * `false` ## EF\_OUTPUT\_SPLUNK\_HEC\_CIM\_ENABLE Specifies whether the data will be sent using the Splunk Common Information Model (CIM). * Valid Values * `true`, `false` * Default * `false` ## EF\_OUTPUT\_SPLUNK\_HEC\_ADDRESSES This setting specifies the Splunk servers to which the output should connect. It is a comma-separated list of Splunk nodes, including port number. {% hint style="danger" %} Do **NOT** include `http://` or `https://` in the provided value. TLS communications is enabled/disabled using `EF_OUTPUT_SPLUNK_HEC_TLS_ENABLE`. {% endhint %} * Default * `127.0.0.1:8088` ## EF\_OUTPUT\_SPLUNK\_HEC\_TOKEN The HTTP Event Collector token to use when sending records to Splunk. * Default * `''` ## EF\_OUTPUT\_SPLUNK\_HEC\_BATCH\_DEADLINE The maximum time, in milliseconds, to wait for a batch of records to fill before being sent to Splunk. * Default * `2000` ## EF\_OUTPUT\_SPLUNK\_HEC\_BATCH\_MAX\_BYTES The maximum size, in bytes, for a batch of records being sent to Splunk. * Default * `8388608` ## EF\_OUTPUT\_SPLUNK\_HEC\_TLS\_ENABLE This setting is used to enable/disable TLS connections to Splunk. * Valid Values * `true`, `false` * Default * `false` ## EF\_OUTPUT\_SPLUNK\_HEC\_TLS\_SKIP\_VERIFICATION This setting is used to enable/disable TLS verification of the Splunk server to which the output is attempting to connect. * Valid Values * `true`, `false` * Default * `false` ## EF\_OUTPUT\_SPLUNK\_HEC\_TLS\_CA\_CERT\_FILEPATH The path to the Certificate Authority (CA) certificate to use for verification of the Splunk server to which the output is attempting to connect. * Default * `''` ## EF\_OUTPUT\_SPLUNK\_HEC\_DROP\_FIELDS This setting allows for a comma-separated list of fields that are to be removed from all records. {% hint style="info" %} Fields are dropped after any output specific fields have been added and after any schema conversion. This means that you should use the field names as you see them in the user interface. {% endhint %} * Valid Values * any field names related to the enabled schema, comma-separated * Example * `flow.export.sysuptime,flow.export.version.ver,flow.start.sysuptime,flow.end.sysuptime,flow.seq_num` * Default * `''` ## EF\_OUTPUT\_SPLUNK\_HEC\_ALLOWED\_RECORD\_TYPES This setting allows for a comma-separated list of record types that the output will send will emit. If left empty, all types will be allowed by default. * Valid Values * `as_path_hop`, `flow_option`, `flow`, `ifa_hop`, `telemetry`, `metric`, `log` * Default * `'as_path_hop,flow_option,flow,ifa_hop,telemetry,metric,log'` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/flowcoll/configuration/outputs/output_splunk_hec.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.