# Splunk (HEC)

### Description

The Splunk HTTP Event Collector source can be used to receive events (logs) from applications that emit events in the Splunk HEC format. Events are converted to OTLP format and can be sent to any destination.

The HEC source can be combined with the [Splunk HEC Destination](https://docs.bindplane.com/integrations/destinations/splunk-hec). This allows Bindplane's collector to sit in the middle of a Splunk pipeline, giving you the ability to leverage Bindplane's processing capabilities.

### Supported Platforms

| Platform           | Metrics | Logs | Traces |
| ------------------ | ------- | ---- | ------ |
| Linux              |         | ✓    |        |
| Windows            |         | ✓    |        |
| macOS              |         | ✓    |        |
| Kubernetes Gateway |         | ✓    |        |
| OpenShift Gateway  |         | ✓    |        |

### Configuration Table

<table><thead><tr><th width="226.484375">Parameter</th><th width="96.453125">Type</th><th width="83.3515625">Default</th><th>Description</th></tr></thead><tbody><tr><td>listen_port</td><td><code>int</code></td><td>8888</td><td>Port to listen on.</td></tr><tr><td>listen_ip</td><td><code>string</code></td><td>"0.0.0.0"</td><td>IP Address to listen on.</td></tr><tr><td>access_token_passthrough</td><td><code>string</code></td><td>false</td><td>Whether to preserve incoming access token (Splunk header value) as "com.splunk.hec.access_token" metric resource label.</td></tr><tr><td>enable_tls</td><td><code>bool</code></td><td>false</td><td>Whether or not to use TLS.</td></tr><tr><td>tls_certificate_path</td><td><code>string</code></td><td></td><td>Path to the TLS cert to use for TLS-required connections.</td></tr><tr><td>tls_private_key_path</td><td><code>string</code></td><td></td><td>Path to the TLS key to use for TLS-required connections.</td></tr></tbody></table>

### Example Configuration

The HEC source type has two required parameters:

* Listen IP Address
* Listening Port

It is recommended to enable the Access Token Passthrough option if you wish to preserve the Splunk access token header as a resource attribute `com.splunk_hec.access_token`.

<figure><img src="https://1405008107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgmiOMzBfoNFwmKJFHMcJ%2Fuploads%2Fgit-blob-f7b06c1df2eb7635f14ef4ad7347c9c7d2579dfd%2Fintegrations-sources-splunk-hec-image-1.png?alt=media" alt="Bindplane docs - Splunk (HEC) - image 1"><figcaption></figcaption></figure>

Once configured, incoming events will be displayed as logs like this:

<figure><img src="https://1405008107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgmiOMzBfoNFwmKJFHMcJ%2Fuploads%2Fgit-blob-0eb4f18e8a70122df84ac5bc6a5dede79ff428fd%2Fintegrations-sources-splunk-hec-image-2.png?alt=media" alt="Bindplane docs - Splunk (HEC) - image 2"><figcaption></figcaption></figure>

### Kubernetes

The Splunk HEC source type supports Kubernetes Gateway collectors. Splunk HEC forwarders can send logs to the collectors using the clusterIP services.

#### Prerequisites

* Bindplane v1.49.0 or newer

#### Configuration

Add the Splunk HEC source to your Gateway collector configuration. Set "Listen Address" to `0.0.0.0` and Listen Port to `8088`.

The Splunk forwarders should be configured to forward telemetry to `bindplane-gateway-collector.bindplane-collector.svc.cluster.local`on port `8088`. If the Splunk forwarders live outside of the cluster, you must make the `bindplane-gateway-collector`service in the `bindplane-collector` namespace available using TCP ingress or by defining your own service that can receive traffic from outside of the cluster. See the Kubernetes [service documentation](https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/) for more information.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bindplane.com/integrations/sources/splunk-hec.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.