Splunk (HEC)

Description

The Splunk HTTP Event Collector source can be used to receive events (logs) from applications that emit events in the Splunk HEC format. Events are converted to OTLP format and can be sent to any destination.

The HEC source can be combined with the Splunk HEC Destination. This allows Bindplane's collector to sit in the middle of a Splunk pipeline, giving you the ability to leverage Bindplane's processing capabilities.

Supported Platforms

Configuration Table

Example Configuration

The HEC source type has two required parameters:

• Listen IP Address

• Listening Port

It is recommended to enable the Access Token Passthrough option if you wish to preserve the Splunk access token header as a resource attribute com.splunk_hec.access_token.

Once configured, incoming events will be displayed as logs like this:

Kubernetes

The Splunk HEC source type supports Kubernetes Gateway collectors. Splunk HEC forwarders can send logs to the collectors using the clusterIP services.

Prerequisites

• Bindplane v1.49.0 or newer

Configuration

Add the Splunk HEC source to your Gateway collector configuration. Set "Listen Address" to 0.0.0.0 and Listen Port to 8088.

The Splunk forwarders should be configured to forward telemetry to bindplane-gateway-collector.bindplane-collector.svc.cluster.localon port 8088. If the Splunk forwarders live outside of the cluster, you must make the bindplane-gateway-collectorservice in the bindplane-collector namespace available using TCP ingress or by defining your own service that can receive traffic from outside of the cluster. See the Kubernetes service documentation for more information.