On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
Send data to a Splunk index
Use the Send to a Splunk Index sink function to send data to an external Splunk Enterprise system.
This function sends data to a Splunk Enterprise index using the Splunk HTTP Event Collector (HEC). For more information, see the Get data with HTTP Event Collector chapter in the Splunk Enterprise Getting Data In manual.
Prerequisites
Before you can use this function, you must do the following:
- Create a connection. See Create a DSP connection to a Splunk index in the Connect to Data Sources and Destinations with the manual. When configuring this sink function, set the
connection_id
argument to the ID of that connection. - Format the incoming data to be compatible with Splunk HEC. See Connecting Splunk indexes to your DSP pipeline in the Connect to Data Sources and Destinations with the manual.
Function input schema
See Connecting Splunk indexes to your DSP pipeline.
Required arguments
- connection_id
- Syntax: string
- Description: The ID of the Splunk Enterprise Connection.
- Example in Canvas View: "576205b3-f6f5-4ab7-8ffc-a4089a95d0c4"
- index
- Syntax: expression<string>
- Description: The index to send your data to.
- Example in Canvas View: "main"
- payload
- Syntax: expression<bytes>
- Description: The name of the DSP record field (for example, "bytes") that has the byte payload to be written directly to the HEC endpoint. Set to
null
if your records are not in bytes. - Example in Canvas View: bytes
Optional arguments
- parameters
- Syntax: map<string, string>
- Description: The optional parameters you can enter in this function. See the following table for a description of each parameter.
Parameter Input Description Example parameters map<string, string> The following rows list the optional parameters you can enter in this function. See the "Parameters" table for available options. Defaults to empty { }
.hec-token-validation boolean Set to true to enable HEC token validation. Defaults to true. "hec-token-validation": "true" hec-enable-ack boolean Set to true for the function to wait for an acknowledgement for every single event. Set to false if acknowledgements in your Splunk platform are disabled or to increase throughput. Defaults to true. "hec-enable-ack": "true" hec-gzip-compression boolean Set to true to compress HEC JSON data and increase throughput at the expense of increasing pipeline CPU utilization. Defaults to false. "hec-gzip-compression": "false" http-connection-timeout-ms integer The HTTP connection timeout, in milliseconds. If the HTTP server does not reply within the timeout period, the connection attempt is retried. "http-connection-timeout-ms": "10000" http-connect-timeout-ms integer The HTTP connect timeout in milliseconds. If the HTTP connection is not established within the timeout period, the connection attempt is retried. "http-connect-timeout-ms": "10000" http-socket-timeout-ms integer The HTTP socket timeout in milliseconds. If data is not received from the HTTP server within the timeout period, the socket is closed. "http-socket-timeout-ms": "10000" async boolean Set to true to send data asynchronously. In async mode, send operations from DSP do not wait for a response to return therefore increasing performance. See Performance expectations for sending data from DSP pipelines to Splunk Enterprise. Defaults to false.
Best practices are to enable this for performance optimization. When async is enabled, the DSP HEC client attempts to write a HEC JSON payload to the Splunk HEC endpoint a maximum of three times. Each attempt has a 10 second timeout, and a maximum of 100 async I/O operations can happen concurrently across all indexers. If you require additional optimizations and you have a support contract, contact Splunk Customer Support.
"async": "true"
SPL2 example
In this example, your data comes out of batch_bytes
as batched byte payloads with a max size of 2MB and is passed into the splunk_enterprise
sink function. This data is then sent to the Splunk Enterprise endpoint for indexing.
When working in the SPL View, you can write the function by providing all arguments in this exact order.
...| batch_bytes bytes=to_bytes(host) size="2MB" millis=5000 | into splunk_enterprise( "b5c57cbd-1470-4639-9938-deb3509cbbc8", "events_idx", bytes, {"hec-enable-ack": "false", "hec-token-validation": "true"} );
Alternatively, you can use named arguments to declare the arguments in any order and leave out optional arguments you don't want to declare. All unprovided arguments use their default values. The following example provides the arguments in an arbitrary order.
...| batch_bytes bytes=to_bytes(host) size="2MB" millis=5000 | into splunk_enterprise( index: "events_idx", connection_id: "b5c57cbd-1470-4639-9938-deb3509cbbc8", parameters: {"hec-enable-ack": "false", "hec-token-validation": "true"}, payload : bytes );
If you want to use a mix of unnamed and named arguments in your functions, you need to list all unnamed arguments in the correct order before providing the named arguments.
Send data to a Splunk index with batching | Send data to a Splunk index (Default for Environment) |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6
Feedback submitted, thanks!