Precedence order of HEC tokens and metadata field values

When configuring a Splunk platform HEC destination, you must specify a default HEC token. This default token is used only if the data is not already associated with a HEC token. For example, if the Edge Processor received an event through HEC, and the Authorization header in the HTTP request that transmitted that event includes a HEC token, then the token in the header is used when you send this event from your Edge Processor to the Splunk platform.

Additionally, you can specify default values for some of the metadata fields in the events.

Source field

When you send data out from an Edge Processor using a Splunk platform HEC destination, the value of the source field is determined based on the following precedence order:

  1. The source value that is already specified in the event before the Edge Processor receives it.
  2. The Default source setting specified in the Splunk platform HEC destination.
  3. The Source name override setting specified in the HEC token being used.

Sourcetype field

When you send data out from an Edge Processor using a Splunk platform HEC destination, the value of the sourcetype field is determined based on the following precedence order:

  1. The sourcetype value that is already specified in the event before the Edge Processor receives it.
  2. The Default source type setting specified in the Splunk platform HEC destination.
  3. The Source type setting specified in the HEC token being used.
  4. The Default Source Type setting specified in the HEC shared settings of a Splunk Enterprise deployment. This setting is applicable only when you are sending data to Splunk Enterprise.

Index field

The index value is determined based on an extensive precedence order of configurations. See Index precedence order when using HEC for more information.