Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Send data to a Splunk index

Use the Send to a Splunk Index sink function to send data to an external Splunk Enterprise system.

This function sends data to a Splunk Enterprise index using the Splunk HTTP Event Collector (HEC). For more information, see the Get data with HTTP Event Collector chapter in the Splunk Enterprise Getting Data In manual.


Before you can use this function, you must do the following:

Function input schema

See Connecting Splunk indexes to your DSP pipeline.

Required arguments

Syntax: string
Description: The ID of the Splunk Enterprise Connection.
Example in Canvas View: "576205b3-f6f5-4ab7-8ffc-a4089a95d0c4"
Syntax: expression<string>
Description: The index to send your data to.
Example in Canvas View: "main"
Syntax: expression<bytes>
Description: The name of the DSP record field (for example, "bytes") that has the byte payload to be written directly to the HEC endpoint. Set to null if your records are not in bytes.
Example in Canvas View: bytes

Optional arguments

Syntax: map<string, string>
Description: The optional parameters you can enter in this function. See the following table for a description of each parameter.
Parameter Input Description Example
parameters map<string, string> The following rows list the optional parameters you can enter in this function. See the "Parameters" table for available options. Defaults to empty { }.
hec-token-validation boolean Set to true to enable HEC token validation. Defaults to true. hec-token-validation: true
hec-enable-ack boolean Set to true for the function to wait for an acknowledgement for every single event. Set to false if acknowledgments in your Splunk platform are disabled or to increase throughput. Defaults to true. hec-enable-ack: true
hec-gzip-compression boolean Set to true to compress HEC JSON data and increase throughput at the expense of increasing pipeline CPU utilization. Defaults to false. hec-gzip-compression: false

SPL2 example

In this example, your data comes out of batch_bytes as batched byte payloads with a max size of 2MB and is passed into the splunk_enterprise sink function. This data is then sent to the Splunk Enterprise endpoint for indexing.

When working in the SPL View, you can write the function by providing all arguments in this exact order.

...| batch_bytes bytes=to_bytes(host) size="2MB" millis=5000
| into splunk_enterprise(
    {"hec-enable-ack": "false", "hec-token-validation": "true"}

Alternatively, you can use named arguments to declare the arguments in any order and leave out optional arguments you don't want to declare. All unprovided arguments use their default values. The following example provides the arguments in an arbitrary order.

...| batch_bytes bytes=to_bytes(host) size="2MB" millis=5000
| into splunk_enterprise(
    index: "events_idx",
    connection_id: "b5c57cbd-1470-4639-9938-deb3509cbbc8",
    parameters: {"hec-enable-ack": "false", "hec-token-validation": "true"},
    payload : bytes

If you want to use a mix of unnamed and named arguments in your functions, you need to list all unnamed arguments in the correct order before providing the named arguments.

Last modified on 14 April, 2021
Send data to a Splunk index with batching
Send data to a Splunk index (Default for Environment)

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters