Splunk HEC Source
The Vector splunk_hec source ingests data through the Splunk HTTP Event Collector protocol and outputs log events.
Configuration
[sources.my_source_id]# REQUIREDtype = "splunk_hec" # example, must be: "splunk_hec"# OPTIONALaddress = "0.0.0.0:8088" # defaulttoken = "A94A8FE5CCB19BA61C4C08" # example, no default
Options
address
The address to accept connections on.
"0.0.0.0:8088"token
If supplied, incoming requests must supply this token in the Authorization header, just as a client would if it was communicating with the Splunk HEC endpoint directly. If not supplied, the Authorization header will be ignored and requests will not be authenticated.
Output
The splunk_hec source ingests data through the Splunk HTTP Event Collector protocol and outputs log events.
For example:
Given the following input:
Hello world
A log event will be output with the following structure:
{"timestamp": <2019-07-26T20:30:27.000443Z>, // time event was received,"host": "my.host.com", // value of the `Host` header"splunk_channel": "FE0ECFAD-13D5-401B-847D-77833BD77131" // value of the `X-Splunk-Request-Channel` header}
More detail on the output schema is below.
message
The raw log message, unaltered.
splunk_channel
The exact time the event was ingested.
timestamp
If the Splunk HEC event endpoint is used then the value of the time field will be used. If the Splunk HEC raw endpoint is used, then the current time the event was received will be used.
How It Works
Environment Variables
Environment variables are supported through all of Vector's configuration.
Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable
will be replaced before being evaluated.
You can learn more in the Environment Variables section.