Edge Delta Splunk HEC Destination

Configure the Edge Delta Splunk destination to send telemetry data using the Splunk output node with optional TLS and token passthrough settings.

6 minute read

Overview

The Splunk destination node sends items to a Splunk destination. It sends raw bytes generated by marshaling items as JSON.

incoming_data_types: cluster_pattern_and_sample, edac, health, heartbeat, log, metric, custom, splunk_payload, signal

Configure Splunk

See Send Data to Splunk.

Configure Edge Delta

Next, you configure the Edge Delta agent to forward data to the Splunk endpoint.

Example Configuration

- name: my_splunk
  type: splunk_output
  index: my_index
  endpoint: <REDACTED>
  token: <REDACTED>

Required Parameters

name

A descriptive name for the node. This is the name that will appear in pipeline builder and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: splunk_output

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

endpoint

The endpoint parameter is the full Splunk HEC URI. It is specified as a string and is required.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>

index

The index parameter defines which index the node should flush data into. It is specified as a string. As of v2.5.0, this parameter is optional and can be left empty to use the default index configured in Splunk HEC.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  index: <index>

token

The token parameter provides the Splunk HEC token. It is written as a string and is required.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>

Optional Parameters

token_expression

Minimum Agent Version: v2.5.0

The token_expression parameter allows you to dynamically override the Splunk HEC token using an OTTL expression. This advanced parameter enables token passthrough scenarios where tokens captured by the Splunk HEC input node can be used to forward data to Splunk with the same authentication context. It is specified as a string containing an OTTL expression and is optional.

When configured, this expression is evaluated for each data item, and if it returns a valid token value, that token will be used instead of the static token configured in the token parameter. A common use case is to reference resource["splunk_token"] which contains the token captured by the Splunk HEC input node when attributes_from_header includes Authorization.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <DEFAULT_TOKEN>
  token_expression: resource["splunk_token"]

Token Passthrough Example:

nodes:
  # Splunk HEC input captures the original token
  - name: splunk_in
    type: splunk_hec_input
    port: 8088
    read_timeout: 30s
    attributes_from_headers:
      - Authorization  # Captures token to resource.splunk_token

  # Splunk output uses the captured token
  - name: splunk_out
    type: splunk_output
    endpoint: https://splunk.example.com:8088/services/collector
    token: default-fallback-token
    override_token_expression: resource["splunk_token"]
    index: forwarded_events

links:
  - from: splunk_in
    to: splunk_out

In this configuration:

The Splunk HEC input captures the authorization token from incoming requests
The token is stored in resource.splunk_token on each data item
The Splunk output evaluates the override_token_expression for each item
If a token exists in resource["splunk_token"], it’s used for authentication
If no token is found, the static token parameter value is used as fallback

tls

The tls parameter is a dictionary type that enables a number of options to be set using sub-parameters. It is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      <tls options>:

ca_file The ca_file parameter is a child of the tls parameter. It specifies the CA certificate file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      ca_file: /certs/ca.pem

ca_path The ca_path parameter is a child of the tls parameter. It specifies the location of the CA certificate files. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      ca_path: <path>

client_auth_type The client_auth_type parameter is a child of the tls parameter. It specifies the authentication type to use for the connection. It is specified as a string from a closed list and is optional.

The following authentication methods are available:

noclientcert indicates that no client certificate should be requested during the handshake, and if any certificates are sent they will not be verified.
requestclientcert indicates that a client certificate should be requested during the handshake, but does not require that the client send any certificates.
requireanyclientcert indicates that a client certificate should be requested during the handshake, and that at least one certificate is required from the client, but that certificate is not required to be valid.
verifyclientcertifgiven indicates that a client certificate should be requested during the handshake, but does not require that the client sends a certificate. If the client does send a certificate it is required to be valid.
requireandverifyclientcert indicates that a client certificate should be requested during the handshake, and that at least one valid certificate is required to be sent by the client

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      client_auth_type: <auth type>

crt_file The crt_file parameter is a child of the tls parameter. It specifies the certificate file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      crt_file: /certs/server-cert.pem

ignore_certificate_check The ignore_certificate_check parameter is a child of tls. It specifies whether to disable the certificate check for remote endpoints. It is specified as a Boolean and the default is false. It is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
    ignore_certificate_check: true

key_file The key_file parameter is a child of the tls parameter. It specifies the key file. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
    key_password: <password>
    key_file: <path to file>

key_password The key_password parameter is a child of the tls parameter. It specifies the key password. When the private key_file location is provided, this file can also be provided to get the password of the private key. It is specified as a string and is optional.

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      key_password: <password>
      key_file: <path to file>

max_version The max_version parameter is a child of the tls parameter. It specifies the maximum version of TLS to accept. It is specified as a string and is optional.

You can select one of the following options:

TLSv1_0
TLSv1_1
TLSv1_2
TLSv1_3

- name: my_splunk
  type: splunk_output
  endpoint: <REDACTED>
  token: <REDACTED>
  tls:
      max_version: <TLS version>

min_version The min_version parameter is a child of the tls parameter. It specifies the minimum version of TLS to accept. It is specified as a string and is optional. The default is TLSv1_2.