Splunk output plugin allows to ingest your records into a Splunk Enterprise service through the HTTP Event Collector (HEC) interface.
To get more details about how to setup the HEC in Splunk please refer to the following documentation: Splunk / Use the HTTP Event Collector

Configuration Parameters

IP address or hostname of the target Splunk service.
TCP port of the target Splunk service.
Specify the Authentication Token for the HTTP Event Collector interface.
When enabled, the record keys and values are set in the top level of the map instead of under the event key.
Optional username for Basic Authentication on HEC
Password for user defined in HTTP_User


Splunk output plugin supports TTL/SSL, for more details about the properties available and general configuration, please refer to the TLS/SSL section.

Getting Started

In order to insert records into a Splunk service, you can run the plugin from the command line or through the configuration file:

Command Line

The splunk plugin, can read the parameters from the command line in two ways, through the -p argument (property), e.g:
$ fluent-bit -i cpu -t cpu -o splunk -p host= -p port=8088 \
-p tls=on -p tls.verify=off -m '*'

Configuration File

In your main configuration file append the following Input & Output sections:
Name cpu
Tag cpu
Name splunk
Match *
Port 8088
TLS.Verify Off
Message_Key my_key

Data format

By default, the Splunk output plugin nests the record under the event key in the payload sent to the HEC. It will also append the time of the record to a top level time key.
If you would like to customize any of the Splunk event metadata, such as the host or target index, you can set Splunk_Send_Raw On in the plugin configuration, and add the metadata as keys/values in the record. Note: with Splunk_Send_Raw enabled, you are responsible for creating and populating the event section of the payload.
For example, to add a custom index and hostname:
Name cpu
Tag cpu
# nest the record under the 'event' key
Name nest
Match *
Operation nest
Wildcard *
Nest_under event
# add event metadata
Name modify
Match *
Add index my-splunk-index
Add host my-host
Name splunk
Match *
Splunk_Token xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
Splunk_Send_Raw On
This will create a payload that looks like:
"time": "1535995058.003385189",
"index": "my-splunk-index",
"host": "my-host",
"event": {
For more information on the Splunk HEC payload format and all event meatadata Splunk accepts, see here:
Last modified 4yr ago