Splunk HEC receiver

The Splunk HEC receiver allows the Splunk Distribution of OpenTelemetry Collector to collect logs and metrics in Splunk HTTP Event Collector format.

The Splunk HTTP Event Collector (HEC) receiver allows the Splunk Distribution of the OpenTelemetry Collector to collect events and logs in Splunk HEC format. The supported pipeline types are metrics and logs. See Process your data with pipelines for more information.

The receiver accepts data formatted as JSON HEC events under any path or as end-of-line separated log raw data if sent to the raw_path. See Format events for HTTP Event Collector for more information.

Note: For information about the HEC exporter, see Splunk HEC exporter.

Get started

Follow these steps to configure and activate the component:

Deploy the Splunk Distribution of the OpenTelemetry Collector to your host or container platform:
Configure the Splunk HEC receiver as described in the next section.
Restart the Collector.

Sample configuration

To activate the Splunk HEC receiver add a splunk_hec entry inside the receivers section of the Collector configuration file:

receivers:
   splunk_hec:

To complete the configuration, include the receiver in the required pipeline of the service section of your configuration file. For example:

service:
   pipelines:
      metrics:
         receivers: [splunk_hec]

Configuration example

The following example shows a Splunk HEC receiver configured with all available settings:

receivers:
  # ...
  splunk_hec:
  # Address and port the Splunk HEC receiver should bind to
  endpoint: localhost:8088
  # Whether to preserve incoming access token
  access_token_passthrough: true
  # Path accepting raw HEC events (logs only)
  raw_path: "/foo"
  # Path reporting health checks
  health_path: "/bar"
  # Define field mappings
  hec_metadata_to_otel_attrs:
    source: "file.name"
    sourcetype: "foobar"
    index: "myindex"
    host: "myhostfield"
  # Optional TLS settings
  tls:
    # Both cert_file and
    # key_file are required
    # for TLS connections
    cert_file: /test.crt
    key_file: /test.key

Authorize HTTP requests

To allow the receiver to work with client extensions, add the following in the Collector service and pipeline configuration:

For advanced users, you can implement your own authentication extension to fulfill your requirements using the open-telemetry auth Go package and Configure TLS.

Settings

The following table shows the configuration options for the Splunk HEC receiver:

included

https://raw.githubusercontent.com/splunk/collector-config-tools/main/cfg-metadata/receiver/splunk_hec.yaml

Troubleshooting

If you are a Splunk Observability Cloud customer and are not able to see your data in Splunk Observability Cloud, you can get help in the following ways.

Available to Splunk Observability Cloud customers

Submit a case in the Splunk Support Portal.
Contact Splunk Support.

Available to prospective customers and free trial users

Ask a question and get answers through community support at Splunk Answers.
Join the Splunk #observability user group Slack channel to communicate with customers, partners, and Splunk employees worldwide. To join, see Chat groups.

Documentation