search
Ctrlk

Splunk

circle-info

The Splunk output is currently a technology preview. The design and implementation are less mature than stable features and subject to change.

The Splunk HEC output can be used to send records to Splunk Enterprisearrow-up-right or Splunk Cloud Platformarrow-up-right via the HTTP Event Collectorarrow-up-right.

hashtag
EF_OUTPUT_SPLUNK_HEC_ENABLE

Specifies whether the Splunk output is enabled.

  • Valid Values

    • true, false

  • Default

    • false

hashtag
EF_OUTPUT_SPLUNK_HEC_CIM_ENABLE

Specifies whether the data will be sent using the Splunk Common Information Model (CIM).

  • Valid Values

    • true, false

  • Default

    • false

hashtag
EF_OUTPUT_SPLUNK_HEC_ADDRESSES

This setting specifies the Splunk servers to which the output should connect. It is a comma-separated list of Splunk nodes, including port number.

triangle-exclamation

Do NOT include http:// or https:// in the provided value. TLS communications is enabled/disabled using EF_OUTPUT_SPLUNK_HEC_TLS_ENABLE.

  • Default

    • 127.0.0.1:8088

hashtag
EF_OUTPUT_SPLUNK_HEC_TOKEN

The HTTP Event Collector token to use when sending records to Splunk.

  • Default

    • ''

hashtag
EF_OUTPUT_SPLUNK_HEC_BATCH_DEADLINE

The maximum time, in milliseconds, to wait for a batch of records to fill before being sent to Splunk.

  • Default

    • 2000

hashtag
EF_OUTPUT_SPLUNK_HEC_BATCH_MAX_BYTES

The maximum size, in bytes, for a batch of records being sent to Splunk.

  • Default

    • 8388608

hashtag
EF_OUTPUT_SPLUNK_HEC_TLS_ENABLE

This setting is used to enable/disable TLS connections to Splunk.

  • Valid Values

    • true, false

  • Default

    • false

hashtag
EF_OUTPUT_SPLUNK_HEC_TLS_SKIP_VERIFICATION

This setting is used to enable/disable TLS verification of the Splunk server to which the output is attempting to connect.

  • Valid Values

    • true, false

  • Default

    • false

hashtag
EF_OUTPUT_SPLUNK_HEC_TLS_CA_CERT_FILEPATH

The path to the Certificate Authority (CA) certificate to use for verification of the Splunk server to which the output is attempting to connect.

  • Default

    • ''

hashtag
EF_OUTPUT_SPLUNK_HEC_DROP_FIELDS

This setting allows for a comma-separated list of fields that are to be removed from all records.

circle-info

Fields are dropped after any output specific fields have been added and after any schema conversion. This means that you should use the field names as you see them in the user interface.

  • Valid Values

    • any field names related to the enabled schema, comma-separated

  • Example

    • flow.export.sysuptime,flow.export.version.ver,flow.start.sysuptime,flow.end.sysuptime,flow.seq_num

  • Default

    • ''

hashtag
EF_OUTPUT_SPLUNK_HEC_ALLOWED_RECORD_TYPES

This setting allows for a comma-separated list of record types that the output will send will emit. If left empty, all types will be allowed by default.

  • Valid Values

    • as_path_hop, flow_option, flow, ifa_hop, telemetry, metric, log

  • Default

    • 'as_path_hop,flow_option,flow,ifa_hop,telemetry,metric,log'

PreviousTraceNextStandard Out

Last updated

Was this helpful?