# Splunk

The **splunk** input plugin handles [Splunk HTTP HEC](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector) requests.

## Configuration Parameters

| **Key**                    | Description                                                                                                                                     | default |
| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| listen                     | The address to listen on                                                                                                                        | 0.0.0.0 |
| port                       | The port for Fluent Bit to listen on                                                                                                            | 9880    |
| tag\_key                   | Specify the key name to overwrite a tag. If set, the tag will be overwritten by a value of the key.                                             |         |
| buffer\_max\_size          | Specify the maximum buffer size in KB to receive a JSON message.                                                                                | 4M      |
| buffer\_chunk\_size        | This sets the chunk size for incoming incoming JSON messages. These chunks are then stored/managed in the space available by buffer\_max\_size. | 512K    |
| successful\_response\_code | It allows to set successful response code. `200`, `201` and `204` are supported.                                                                | 201     |
| splunk\_token              | Add an Splunk token for HTTP HEC.\`                                                                                                             |         |

## Getting Started

In order to start performing the checks, you can run the plugin from the command line or through the configuration file.

#### How to set tag

The tag for the Splunk input plugin is set by adding the tag to the end of the request URL by default. This tag is then used to route the event through the system. The default behavior of the splunk input sets the tags for the following endpoints:

* `/services/collector`
* `/services/collector/event`
* `/services/collector/raw`

The requests for these endpoints are interpreted as `services_collector`, `services_collector_event`, and `services_collector_raw`.

If you want to use the other tags for multiple instantiating input splunk plugin, you have to specify `tag` property on the each of splunk plugin configurations to prevent collisions of data pipeline.

### Command Line

From the command line you can configure Fluent Bit to handle HTTP HEC requests with the following options:

```bash
$ fluent-bit -i splunk -p port=8088 -o stdout
```

### Configuration File

In your main configuration file append the following *Input* & *Output* sections:

```python
[INPUT]
    name splunk
    listen 0.0.0.0
    port 8088

[OUTPUT]
    name stdout
    match *
```