Required Record Format

Splunk requires that the event data and metadata be correctly formatted in the record. If the record is formatted incorrectly, an error occurs and the destination fails to write to Splunk. When you design a pipeline with the Splunk destination, you must ensure that the record sent to the destination uses the required format.

The record must contain an /event field that contains the event data. The /event field can be a string, map, or list-map field. For more information, see Event data in the Splunk documentation.

Important: The Splunk destination does not support raw events. Events must be sent in the /event field.

The record can optionally contain event metadata fields. Splunk includes several pre-defined keys that can be included in the event metadata. Any metadata key-value pairs that are not included in the event are set to values defined for the token on the Splunk server. For a list of the keys that can be included in event metadata, see Event metadata in the Splunk documentation.

For example, the following record includes three of the keys that can be included in event metadata and an /event field using the Map data type:

{
    "time": 1437522387,
    "host": "myserver.example.com",
    "source": "myapp",
    "event": { 
        "message": "Here is my message",
        "severity": "INFO"
    }
}

The following record includes five of the keys that can be included in event metadata and an /event field using the String data type:

{
    "time": 1426279439, // epoch time
    "host": "localhost",
    "source": "datasource",
    "sourcetype": "txt",
    "index": "main",
    "event": "Here is my event" 
}