Skip to main content

Splunk HEC

The Splunk HEC output provides a convenient mechanism to send properly formatted events to a Splunk HEC input. ScubaLite Connect abstracts away all the required operations for submitting events to the Splunk API.

Simple message with timestamp

A simple message with added timestamp, remove: true removes mytime after the field value has been placed into the time field. If there is an existing time field then time-field: time is not required.

name: splunk-hec-eventlog

input:
echo:
json: true
ignore-linebreaks: false
event: |
{"message":"Hello, World!"}

actions:
- time:
output-field: mytime
output-format: epoch_frac_secs

output:
splunk-hec:
url: https://splunk.hotrod.local:8088/services/collector/event
insecure: true
hec-token: 05c0cde0-ecf0-4576-bd93-819d33529697
host: server.hotrod.local
sourcetype: hotrod:hpr
source: pipe
time-field: mytime
remove: true
warn

If there is no time field in the submitted event, it is timestamped by Splunk at "time received".

Added or extracted fields as metadata

Here the fields have been specified for demonstrative purposes but in a real-world example most likely extracted from the ingested event:

name: splunk-hec-eventlog

input:
echo:
json: true
ignore-linebreaks: false
event: |
{"message":"Hello, World!"}

actions:
- time:
output-field: mytime
output-format: epoch_frac_secs

- add:
fields:
- myhost: myhost.hotrod.local
- myindex: "hotrod_events"
- mysource: "mysource"
- mysourcetype: "hotrod:mysourcetype"
- mytoken: 05c0cde0-ecf0-4576-bd93-819d33529697

output:
splunk-hec:
url: https://splunk.hotrod.local:8088/services/collector/event
insecure: true
host-field: myhost
index-field: myindex
source-field: mysource
sourcetype-field: mysourcetype
hec-token-field: mytoken
time-field: mytime
remove: true

As before, all specified *-field: my* fields are removed.

An event value as payload

The event payload is the event-field: myevent value:

name: splunk-hec-eventlog

input:
echo:
json: true
ignore-linebreaks: false
event: |
{"message":"Hello, World!"}

actions:
- time:
output-field: mytime
output-format: epoch_frac_secs

- add:
fields:
- myevent: Something happened.
#- myevent: {"message":{"what":"Something happened.","severity":"INFO"}}

output:
splunk-hec:
url: https://splunk.hotrod.local:8088/services/collector/event
insecure: true
hec-token: 05c0cde0-ecf0-4576-bd93-819d33529697
host: splunk3000.hotrod.local
sourcetype: hotrod:hpr
source: pipe
event-field: myevent