Splunk HEC exporter π
The Splunk HTTP Event Collector (HEC) exporter allows the OpenTelemetry Collector to send traces, logs, and metrics to Splunk HEC endpoints. The supported pipeline types are traces, metrics, and logs. See Configure pipelines for more information.
The main purpose of the Splunk HEC exporter is to send logs to Log Observer, Splunk Cloud Platform, or Splunk Enterprise. Log Observer Connect is now used to pull the Splunk Cloud Platform and Splunk Enterprise indexes into Observability Cloud. See Splunk Log Observer Connect for more information.
Note
For information about the HEC receiver, see Splunk HEC receiver.
Get started π
By default, the Splunk Distribution of OpenTelemetry Collector includes the Splunk HEC exporter in the logs pipeline when deploying in agent mode. See Collector deployment modes for more information.
Note
To send Splunk HEC data through a proxy, configure proxy settings as environment variables. See Configure proxy settings for more information.
Sample configurations π
The following example shows a Splunk HEC exporter instance configured for a logs pipeline in the Collector configuration file:
exporters:
# ...
splunk_hec:
token: "<hec-token>"
endpoint: "<hec-endpoint>"
# Source. See https://docs.splunk.com/Splexicon:Source
source: "otel"
# Source type. See https://docs.splunk.com/Splexicon:Sourcetype
sourcetype: "otel"
# ...
service:
# ...
pipelines:
logs:
receivers: [fluentforward, otlp]
processors:
- memory_limiter
- batch
- resourcedetection
exporters: [splunk_hec]
The Splunk HEC exporter requires a Splunk HEC token and endpoint. Obtaining a HEC token and choosing a HEC endpoint depends on the target. The following table shows endpoints and instructions for each back end.
Back end |
Endpoint |
Tokens |
|---|---|---|
Splunk Cloud Platform |
See Send data to HTTP Event Collector on Splunk Cloud Platform |
See Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform |
Splunk Enterprise |
||
Splunk Observability Cloud |
See Create and manage organization access tokens using Splunk Observability Cloud. |
|
In the ingest endpoint URL, realm is the Observability Cloud realm, for example, us0. To find the realm name of your account, follow these steps:
Open the left navigation menu in Observability Cloud.
Select .
Select your username.
The realm name appears in the Organizations section.
Send logs to Splunk Cloud Platform or Splunk Enterprise π
If youβre using the Collector for log collection and need to send data to Splunk Cloud Platform or Splunk Enterprise, configure the splunk_hec exporter to use your Splunk endpoint and token. For example:
exporters:
splunk_hec:
# Splunk HTTP Event Collector token.
token: "00000000-0000-0000-0000-0000000000000"
# URL to a Splunk instance to send data to.
endpoint: "https://splunk:8088/services/collector"
# Optional Splunk source: https://docs.splunk.com/Splexicon:Source
source: "otel"
# Optional Splunk source type: https://docs.splunk.com/Splexicon:Sourcetype
sourcetype: "otel"
# Splunk index, optional name of the Splunk index targeted.
index: "metrics"
# Maximum HTTP connections to use simultaneously when sending data. Defaults to 100.
max_connections: 20
# Whether to deactivate gzip compression over HTTP. Defaults to false.
disable_compression: false
# HTTP timeout when sending data. Defaults to 10s.
timeout: 10s
# Whether to skip checking the certificate of the HEC endpoint when sending data over HTTPS. Defaults to false.
tls:
insecure_skip_verify: true
You can split log data between Splunk Cloud Platform or Enterprise and Observability Cloud to preserve AlwaysOn Profiling data while sending logs to Splunk. See Check the OpenTelemetry Collector configuration for more information.
To split the log pipelines, configure two separate splunk_hec entries in the receiver and exporters sections of the Collector configuration file. Then, add both to the logs pipeline. For example:
receivers:
# Default OTLP receiver--used by Splunk platform logs
otlp:
protocols:
grpc:
endpoint: 0.0.0.0:4317
http:
endpoint: 0.0.0.0:4318
# OTLP receiver for AlwaysOn Profiling data
otlp/profiling:
protocols:
grpc:
# Make sure to configure your agents
# to use the custom port for logs when
# setting SPLUNK_PROFILER_LOGS_ENDPOINT
endpoint: 0.0.0.0:4319
exporters:
# Export logs to Splunk platform
splunk_hec/platform:
token: "<splunk_token>"
endpoint: "https://splunk:8088/services/collector"
source: "otel"
sourcetype: "otel"
index: "main"
max_connections: 20
disable_compression: false
timeout: 10s
tls:
insecure_skip_verify: true
# Export profiling data to Observability Cloud
splunk_hec/profiling:
token: "<splunk_o11y_token>"
endpoint: "https://ingest.<realm>.signalfx.com/v1/log"
source: "otel"
sourcetype: "otel"
log_data_enabled: false
# Other settings
service:
pipelines:
# Traces and metrics pipelines
# Logs pipeline for Splunk platform
logs/platform:
receivers: [fluentforward, otlp]
processors:
- memory_limiter
- batch
- resourcedetection
exporters: [splunk_hec/platform]
# Logs pipeline for AlwaysOn Profiling
logs/profiling:
receivers: [otlp/profiling]
processors:
- memory_limiter
- batch
- resourcedetection
exporters: [splunk_hec/profiling]
Turn off profiling data π
If you donβt need AlwaysOn Profiling data for a specific host or container. set the profiling_data_enabled option to false in the splunk_hec exporter settings of the Collector configuration file. For example:
splunk_hec/noprofiling:
token: "${SPLUNK_HEC_TOKEN}"
endpoint: "${SPLUNK_HEC_URL}"
source: "otel"
sourcetype: "otel"
profiling_data_enabled: false
To turn off log collection for Observability Cloud while preserving AlwaysOn Profiling data for APM, set the log_data_enabled option to false. See Exclude log data in the Collector for more information.
splunk_hec:
token: "${SPLUNK_HEC_TOKEN}"
endpoint: "${SPLUNK_HEC_URL}"
source: "otel"
sourcetype: "otel"
log_data_enabled: false
Turn off log data export π
If you need to turn off log data export to Observability Cloud, for example because youβre using Log Observer Connect, set log_data_enabled to false in the splunk_hec exporter of your Collector configuration file:
splunk_hec:
token: "${SPLUNK_HEC_TOKEN}"
endpoint: "${SPLUNK_HEC_URL}"
source: "otel"
sourcetype: "otel"
log_data_enabled: false
To use a custom configuration for EC2, see Use a custom configuration. To use a custom configuration for Fargate, see Use a custom configuration.
Note
The log_data_enabled setting is available in the Splunk Distribution of OpenTelemetry Collector version 0.49.0 and higher.
If youβve deployed the Collector in Kubernetes using the Helm chart, change the following setting in the splunkObservability section of your custom chart or values.yaml file:
splunkObservability:
# Other settings
logsEnabled: false
Settings π
The following table shows the configuration options for the Splunk HEC exporter:
Troubleshooting π
If you are a Splunk Observability Cloud customer and are not able to see your data in Splunk Observability Cloud, you can get help in the following ways.
Available to Splunk Observability Cloud customers π
Submit a case in the Splunk Support Portal.
Call Splunk Customer Support.
Available to customers and free trial users π
Ask a question and get answers through community support at Splunk Answers.
Join the Splunk #observability user group Slack channel to communicate with customers, partners, and Splunk employees worldwide. To join, see Chat groups in the Get Started with Splunk Community manual.
To learn about even more support options, see Splunk Customer Success.