Splunk HTTP Event Collector (HEC)
Receive logs from Splunk
status: stable
role: aggregator
delivery: at-least-once
acknowledgements: yes
egress: batch
state: stateless
output: log
Configuration
Example configurations
{
"sources": {
"my_source_id": {
"type": "splunk_hec",
"acknowledgements": null,
"address": "0.0.0.0:8080",
"token": "A94A8FE5CCB19BA61C4C08",
"valid_tokens": [
"A94A8FE5CCB19BA61C4C08"
]
}
}
}
[sources.my_source_id]
type = "splunk_hec"
address = "0.0.0.0:8080"
token = "A94A8FE5CCB19BA61C4C08"
valid_tokens = [ "A94A8FE5CCB19BA61C4C08" ]
---
sources:
my_source_id:
type: splunk_hec
acknowledgements: null
address: 0.0.0.0:8080
token: A94A8FE5CCB19BA61C4C08
valid_tokens:
- A94A8FE5CCB19BA61C4C08
{
"sources": {
"my_source_id": {
"type": "splunk_hec",
"acknowledgements": null,
"address": "0.0.0.0:8080",
"token": "A94A8FE5CCB19BA61C4C08",
"valid_tokens": [
"A94A8FE5CCB19BA61C4C08"
],
"tls": null,
"store_hec_token": null
}
}
}
[sources.my_source_id]
type = "splunk_hec"
address = "0.0.0.0:8080"
token = "A94A8FE5CCB19BA61C4C08"
valid_tokens = [ "A94A8FE5CCB19BA61C4C08" ]
---
sources:
my_source_id:
type: splunk_hec
acknowledgements: null
address: 0.0.0.0:8080
token: A94A8FE5CCB19BA61C4C08
valid_tokens:
- A94A8FE5CCB19BA61C4C08
tls: null
store_hec_token: null
acknowledgements
common optional objectControls how acknowledgements are handled by this source. These settings override the global
acknowledgement
settings. This setting is deprecated in favor of enabling acknowledgements
in the destination sink.acknowledgements.ack_idle_cleanup
optional boolWhether or not to remove channels after idling for
max_idle_time
seconds. A channel is idling if it is not used for sending data or querying ack statuses.default:
false
acknowledgements.enabled
optional boolControls if the source will wait for destination sinks to deliver the events before acknowledging receipt.
default:
false
acknowledgements.max_idle_time
optional uintThe amount of time a channel is allowed to idle before removal. Channels can potentially idle for longer than this setting but clients should not rely on such behavior. Minimum of
1
.default:
300
(seconds)acknowledgements.max_number_of_ack_channels
optional uintThe maximum number of Splunk HEC channels clients can use with this source. Minimum of
1
.default:
1e+06
acknowledgements.max_pending_acks
optional uintThe maximum number of ack statuses pending query across all channels. Equivalent to the
max_number_of_acked_requests_pending_query
Splunk HEC setting. Minimum of 1
.default:
1e+07
acknowledgements.max_pending_acks_per_channel
optional uintThe maximum number of ack statuses pending query for a single channel. Equivalent to the
max_number_of_acked_requests_pending_query_per_ack_channel
Splunk HEC setting. Minimum of 1
.default:
1e+06
store_hec_token
optional boolWhen incoming requests contain a Splunk HEC token, if this setting is set to
true
, the token will kept in the event metadata and will be used if the event is sent to a Splunk HEC sink.default:
false
tls
optional objectConfigures the TLS options for incoming connections.
tls.ca_file
optional string literalAbsolute path to an additional CA certificate file, in DER or PEM format (X.509), or an in-line CA certificate in PEM format.
tls.crt_file
optional string literalAbsolute path to a certificate file used to identify this server, in DER or PEM format (X.509) or PKCS#12, or an in-line certificate in PEM format. If this is set, and is not a PKCS#12 archive,
key_file
must also be set. This is required if enabled
is set to true
.tls.enabled
optional boolRequire TLS for incoming connections. If this is set, an identity certificate is also required.
default:
false
tls.key_file
optional string literalAbsolute path to a private key file used to identify this server, in DER or PEM format (PKCS#8), or an in-line private key in PEM format.
tls.key_pass
optional string literalPass phrase used to unlock the encrypted key file. This has no effect unless
key_file
is set.tls.verify_certificate
optional boolIf
true
, Vector will require a TLS certificate from the connecting host and terminate the connection if the certificate is not valid. If false
(the default), Vector will not request a certificate from the client.default:
false
token
common optional string literalIf supplied, incoming requests must supply this token in the
Authorization
header, just as a client would if it was communicating with the Splunk HEC endpoint directly. If not supplied, the Authorization
header will be ignored and requests will not be authenticated.valid_tokens
common optional [string]If supplied, incoming requests must supply one of these tokens in the
Authorization
header, just as a client would if it was communicating with the Splunk HEC endpoint directly. If not supplied, the Authorization
header will be ignored and requests will not be authenticated.Outputs
<component_id>
Default output stream of the component. Use this component’s ID as an input to downstream transforms and sinks.
Output Data
Logs
Event
A single event
message
required
string
literal
The raw line, unparsed.
Examples
2019-02-13T19:48:34+00:00 [info] Started GET "/" for 127.0.0.1
splunk_channel
required
timestamp
The Splunk channel, value of the
X-Splunk-Request-Channel
header or channel
query parameter, in that order of precedence.Examples
2020-10-10T17:07:36.452332Z
timestamp
required
timestamp
The exact time the event was ingested into Vector.
Examples
2020-10-10T17:07:36.452332Z
Telemetry
Metrics
linkcomponent_errors_total
counterThe total number of errors encountered by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
error_type
required
The type of the error
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
stage
required
The stage within the component at which the error occurred.
component_received_bytes_total
counterThe number of raw bytes accepted by this component from source origins.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the data originated.
file
optional
The file from which the data originated.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the data originated.
peer_path
optional
The pathname from which the data originated.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the data originated.
uri
optional
The sanitized URI from which the data originated.
component_received_event_bytes_total
counterThe number of event bytes accepted by this component either from
tagged origins like file and uri, or cumulatively from other origins.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the data originated.
file
optional
The file from which the data originated.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the data originated.
peer_path
optional
The pathname from which the data originated.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the data originated.
uri
optional
The sanitized URI from which the data originated.
component_received_events_total
counterThe number of events accepted by this component either from tagged
origins like file and uri, or cumulatively from other origins.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the data originated.
file
optional
The file from which the data originated.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the data originated.
peer_path
optional
The pathname from which the data originated.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the data originated.
uri
optional
The sanitized URI from which the data originated.
component_sent_event_bytes_total
counterThe total number of event bytes emitted by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
output
optional
The specific output of the component.
pid
optional
The process ID of the Vector instance.
component_sent_events_total
counterThe total number of events emitted by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
output
optional
The specific output of the component.
pid
optional
The process ID of the Vector instance.
events_in_total
counterThe number of events accepted by this component either from tagged
origins like file and uri, or cumulatively from other origins.
This metric is deprecated and will be removed in a future version.
Use
component_received_events_total
instead.component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the data originated.
file
optional
The file from which the data originated.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the data originated.
peer_path
optional
The pathname from which the data originated.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the data originated.
uri
optional
The sanitized URI from which the data originated.
events_out_total
counterThe total number of events emitted by this component.
This metric is deprecated and will be removed in a future version.
Use
component_sent_events_total
instead.component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
output
optional
The specific output of the component.
pid
optional
The process ID of the Vector instance.
http_request_errors_total
counterThe total number of HTTP request errors for this component.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
requests_received_total
counterThe total number of requests received by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id
instead. The value is the same as component_id
.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
How it works
Indexer Acknowledgements
With acknowledgements enabled, the source uses the Splunk HEC indexer acknowledgements protocol to allow clients to verify data has been delivered to destination sinks.
To summarize the protocol, each request to the source is associated with an integer identifier (an ack id) that the client is given and can use to query for the status of the request.
Transport Layer Security (TLS)
Vector uses OpenSSL for TLS protocols. You can
adjust TLS behavior via the
tls.*
options.