Splunk HTTP Event Collector Source
6 minute read
Overview
This source node is used to ingest log data from Splunk’s HTTP Event Collector.
Example Configuration
nodes:
- name: my_hec_input
type: splunk_hec_input
port: 8088
read_timeout: 30s
Required Parameters
name
A descriptive name for the node. This is the name that will appear in pipeline builder and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a -
and a space followed by the string. It is a required parameter for all nodes.
nodes:
- name: <node name>
type: <node type>
type: splunk_hec_input
The type
parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.
nodes:
- name: <node name>
type: <node type>
read_timeout
The read_timeout
parameter is used to specify how long to wait for incoming data. Default value is 0 which means no time out. It is specified as a duration and it is required.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
Optional Parameters
listen
The listen
parameter is used to specify the address to listen to for incoming traffic. It is specified as a string and it is optional.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
listen: <host>
port
Enter the port number that the splunk_hec_input
type node should listen on. It is specified as an integer and is an optional parameter.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
port: <port number>
source_metadata
The source_metadata
parameter is used to define which detected resources and attributes to add to each data item as it is ingested by the Edge Delta agent. In the GUI you can select:
- Required Only: This option includes the minimum required resources and attributes for Edge Delta to operate.
- Default: This option includes the required resources and attributes plus those selected by Edge Delta
- High: This option includes the required resources and attributes along with a larger selection of common optional fields.
- Custom: With this option selected, you can choose which attributes and resources to include. The required fields are selected by default and can’t be unchecked.
Based on your selection in the GUI, the source_metadata
YAML is populated as two dictionaries (resource_attributes
and attributes
) with Boolean values.
See Choose Data Item Metadata for more information on selecting metadata.
tls
The tls
parameter is a dictionary type that enables a number of options to be set using sub-parameters.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
<tls options>:
ca_file
The ca_file
parameter is a child of the tls
parameter. It specifies the CA certificate file. It is specified as a string and is optional.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
ca_file: /certs/ca.pem
ca_path
The ca_path
parameter is a child of the tls
parameter. It specifies the location of the CA certificate files. It is specified as a string and is optional.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
ca_path: /var/etc/kafka
client_auth_type
The client_auth_type
parameter is a child of the tls
parameter. It specifies the authentication type to use for the connection. It is specified as a string from a closed list and is optional.
The following authentication methods are available:
- noclientcert indicates that no client certificate should be requested during the handshake, and if any certificates are sent they will not be verified.
- requestclientcert indicates that a client certificate should be requested during the handshake, but does not require that the client send any certificates.
- requireanyclientcert indicates that a client certificate should be requested during the handshake, and that at least one certificate is required from the client, but that certificate is not required to be valid.
- verifyclientcertifgiven indicates that a client certificate should be requested during the handshake, but does not require that the client sends a certificate. If the client does send a certificate it is required to be valid.
- requireandverifyclientcert indicates that a client certificate should be requested during the handshake, and that at least one valid certificate is required to be sent by the client
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
client_auth_type: <auth type>
crt_file
The crt_file
parameter is a child of the tls
parameter. It specifies the certificate file. It is specified as a string and is optional.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
crt_file: /certs/server-cert.pem
ignore_certificate_check
The ignore_certificate_check
parameter is a child of the tls
parameter. When set to true
, it ignores certificate checks for the remote endpoint. It is specified as a Boolean value and the default is false
, indicating that TLS verification will be performed. This is an optional parameter.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
ignore_certificate_check: true
key_file
The key_file
parameter is a child of the tls
parameter. It specifies the key file. It is specified as a string and is optional.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
key_file: /certs/server-key.pem
key_password
The key_password
parameter is a child of the tls
parameter. It specifies the key password. When the private key_file
location is provided, this file can also be provided to get the password of the private key. It is specified as a string and is optional.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
key_password: <password>
attributes_from_headers
Minimum Agent Version: v2.5.0
The attributes_from_headers
parameter allows you to extract specific HTTP headers from incoming Splunk HEC requests and store them as attributes on the received data items. This is useful for capturing metadata such as authentication tokens, client identifiers, or custom headers. It is specified as an array of header names and is an optional advanced parameter.
When a Splunk HEC request includes an Authorization: Splunk <token>
header and Authorization
is included in this list, the token value will be stored in resource.splunk_token
on the data item, which can then be used by the Splunk output node.
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
attributes_from_headers:
- Authorization
- X-Splunk-Request-Channel
- X-Custom-Header
Example Use Case: This feature enables token passthrough scenarios where the Splunk HEC input captures the original Splunk token from incoming requests, and the Splunk output node can use that same token when forwarding data to Splunk, maintaining authentication context throughout the pipeline.
max_version
The max_version
parameter is a child of the tls
parameter. It specifies the maximum version of TLS to accept. It is specified as a string and is optional.
You can select one of the following options:
TLSv1_0
TLSv1_1
TLSv1_2
TLSv1_3
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
max_version: <TLS version>
min_version
The min_version
parameter is a child of the tls
parameter. It specifies the minimum version of TLS to accept. It is specified as a string and is optional. The default is TLSv1_2
.
You can select one of the following options:
TLSv1_0
TLSv1_1
TLSv1_2
TLSv1_3
nodes:
- name: <node name>
type: splunk_hec_input
read_timeout: 10s
tls:
min_version: <TLS version>