Splunk

Data Collector

The Splunk destination writes data to Splunk using the Splunk HTTP Event Collector (HEC). For information about supported versions, see Supported Systems and VersionsSupported Systems and Versions in the Data Collector documentation.

The destination sends HTTP POST requests to the HEC endpoint using the JSON data format. The destination generates one HTTP request for each batch, sending multiple records at a time. Each record must contain the event data and optionally the event metadata in the format required by Splunk.

Before you configure the destination, you must complete several prerequisites including enabling HEC in Splunk and creating an HEC authentication token.

When you configure the Splunk destination, you supply the Splunk API endpoint and the HEC authentication token. You can configure the timeout, request transfer encoding, and authentication type. You can configure the destination to use the Gzip or Snappy compression format to write the data. You can optionally use an HTTP proxy and configure SSL/TLS properties.

You can also configure the destination to log request and response information.