Fluent Bit: Official Manual
Search…
1.8
Fluent Bit v1.8 Documentation
About
What is Fluent Bit ?
A Brief History of Fluent Bit
Fluentd & Fluent Bit
License
Concepts
Key Concepts
Buffering
Data Pipeline
Installation
Getting Started with Fluent Bit
Upgrade Notes
Supported Platforms
Requirements
Sources
Linux Packages
Docker
Containers on AWS
Amazon EC2
Kubernetes
Yocto / Embedded Linux
Windows
Administration
Configuring Fluent Bit
Security
Buffering & Storage
Backpressure
Scheduling and Retries
Networking
Memory Management
Monitoring
Dump Internals / Signal
HTTP Proxy
Local Testing
Validating your Data and Structure
Running a Logging Pipeline Locally
Data Pipeline
Pipeline Monitoring
Inputs
Parsers
Filters
Outputs
Prometheus Exporter
Prometheus Remote Write
Amazon CloudWatch
Amazon Kinesis Data Firehose
Amazon Kinesis Data Streams
Amazon S3
Azure Log Analytics
Azure Blob
Google Cloud BigQuery
Counter
Datadog
Elasticsearch
File
FlowCounter
Forward
GELF
HTTP
InfluxDB
Kafka
Kafka REST Proxy
LogDNA
Loki
NATS
New Relic
NULL
PostgreSQL
Slack
Stackdriver
Standard Output
Splunk
Syslog
TCP & TLS
Treasure Data
WebSocket
Stream Processing
Introduction to Stream Processing
Overview
Changelog
Getting Started
Fluent Bit for Developers
C Library API
Ingest Records Manually
Golang Output Plugins
Developer guide for beginners on contributing to Fluent Bit
Powered By GitBook
Splunk
Send logs to Splunk HTTP Event Collector
Splunk output plugin allows to ingest your records into a Splunk Enterprise service through the HTTP Event Collector (HEC) interface.
To get more details about how to setup the HEC in Splunk please refer to the following documentation: Splunk / Use the HTTP Event Collector​

Configuration Parameters

Connectivity, transport and authentication configuration properties:
Key
Description
default
host
IP address or hostname of the target Splunk service.
127.0.0.1
port
TCP port of the target Splunk service.
8088
splunk_token
Specify the Authentication Token for the HTTP Event Collector interface.
​
http_user
Optional username for Basic Authentication on HEC
​
http_passwd
Password for user defined in HTTP_User
​
http_buffer_size
Buffer size used to receive Splunk HTTP responses
2M
compress
Set payload compression mechanism. The only available option is gzip.
​
Content and Splunk metadata (fields) handling configuration properties:
Key
Description
default
splunk_send_raw
When enabled, the record keys and values are set in the top level of the map instead of under the event key. Refer to the Sending Raw Events section from the docs for more details to make this option work properly.
off
event_key
Specify the key name that will be used to send a single value as part of the record.
​
event_host
Specify the key name that contains the host value. This option allows a record accessors pattern.
​
event_source
Set the source value to assign to the event data.
​
event_sourcetype
Set the sourcetype value to assign to the event data.
​
event_sourcetype_key
Set a record key that will populate 'sourcetype'. If the key is found, it will have precedence over the value set in event_sourcetype.
​
event_index
The name of the index by which the event data is to be indexed.
​
event_index_key
Set a record key that will populate the index field. If the key is found, it will have precedence over the value set in event_index.
​
event_field
Set event fields for the record. This option can be set multiple times and the format is key_name record_accessor_pattern.
​

TLS / SSL

Splunk output plugin supports TTL/SSL, for more details about the properties available and general configuration, please refer to the TLS/SSL section.

Getting Started

In order to insert records into a Splunk service, you can run the plugin from the command line or through the configuration file:

Command Line

The splunk plugin, can read the parameters from the command line in two ways, through the -p argument (property), e.g:
1
$ fluent-bit -i cpu -t cpu -o splunk -p host=127.0.0.1 -p port=8088 \
2
-p tls=on -p tls.verify=off -m '*'
Copied!

Configuration File

In your main configuration file append the following Input & Output sections:
1
[INPUT]
2
Name cpu
3
Tag cpu
4
​
5
[OUTPUT]
6
Name splunk
7
Match *
8
Host 127.0.0.1
9
Port 8088
10
TLS On
11
TLS.Verify Off
12
Message_Key my_key
Copied!

Data format

By default, the Splunk output plugin nests the record under the event key in the payload sent to the HEC. It will also append the time of the record to a top level time key.
If you would like to customize any of the Splunk event metadata, such as the host or target index, you can set Splunk_Send_Raw On in the plugin configuration, and add the metadata as keys/values in the record. Note: with Splunk_Send_Raw enabled, you are responsible for creating and populating the event section of the payload.
For example, to add a custom index and hostname:
1
[INPUT]
2
Name cpu
3
Tag cpu
4
​
5
# nest the record under the 'event' key
6
[FILTER]
7
Name nest
8
Match *
9
Operation nest
10
Wildcard *
11
Nest_under event
12
​
13
# add event metadata
14
[FILTER]
15
Name modify
16
Match *
17
Add index my-splunk-index
18
Add host my-host
19
​
20
[OUTPUT]
21
Name splunk
22
Match *
23
Host 127.0.0.1
24
Splunk_Token xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
25
Splunk_Send_Raw On
Copied!
This will create a payload that looks like:
1
{
2
"time": "1535995058.003385189",
3
"index": "my-splunk-index",
4
"host": "my-host",
5
"event": {
6
"cpu_p":0.000000,
7
"user_p":0.000000,
8
"system_p":0.000000
9
}
10
}
Copied!
For more information on the Splunk HEC payload format and all event meatadata Splunk accepts, see here: http://docs.splunk.com/Documentation/Splunk/latest/Data/AboutHEC​

Sending Raw Events

If the option splunk_send_raw has been enabled, the user must take care to put all log details in the event field, and only specify fields known to Splunk in the top level event, if there is a mismatch, Splunk will return a HTTP error 400.
Consider the following example:
splunk_send_raw off
1
{"time": ..., "event": {"k1": "foo", "k2": "bar", "index": "applogs"}}
Copied!
splunk_send_raw on
1
{"time": .., "k1": "foo", "k2": "bar", "index": "applogs"}
Copied!
For up to date information about the valid keys in the top level object, refer to the Splunk documentation:
​http://docs.splunk.com/Documentation/Splunk/latest/Data/AboutHEC​

Splunk Metric Index

With Splunk version 8.0> you can also use the Fluent Bit Splunk output plugin to send data to metric indices. This allows you to perform visualizations, metric queries, and analysis with other metrics you may be collecting. This is based off of Splunk 8.0 support of multi metric support via single JSON payload, more details can be found on Splunk's documentation page​
Sending to a Splunk Metric index requires the use of Splunk_send_raw option being enabled and formatting the message properly. This includes three specific operations
    Nest metric events under a "fields" property
    Add metric_name: to all metrics
    Add index, source, sourcetype as fields in the message

Example Configuration

The following configuration gathers CPU metrics, nests the appropriate field, adds the required identifiers and then sends to Splunk.
1
[INPUT]
2
name cpu
3
tag cpu
4
​
5
# Move CPU metrics to be nested under "fields" and
6
# add the prefix "metric_name:" to all metrics
7
# NOTE: you can change Wildcard field to only select metric fields
8
[FILTER]
9
Name nest
10
Match cpu
11
Wildcard *
12
Operation nest
13
Nest_under fields
14
Add_Prefix metric_name:
15
​
16
# Add index, source, sourcetype
17
[FILTER]
18
Name modify
19
Match cpu
20
Set index cpu-metrics
21
Set source fluent-bit
22
Set sourcetype custom
23
​
24
# ensure splunk_send_raw is on
25
[OUTPUT]
26
name splunk
27
match *
28
host <HOST>
29
port 8088
30
splunk_send_raw on
31
splunk_token f9bd5bdb-c0b2-4a83-bcff-9625e5e908db
32
tls on
33
tls.verify off
Copied!
Previous
Standard Output
Next
Syslog
Last modified 1mo ago
Export as PDF
Copy link
Contents
Configuration Parameters
TLS / SSL
Getting Started
Command Line
Configuration File
Data format
Sending Raw Events
Splunk Metric Index
Example Configuration