Splunk (TCP)
Supported Platforms
Linux
✓
Windows
✓
macOS
✓
Kubernetes Gateway
✓
OpenShift Gateway
✓
Configuration Table
listen_ip
string
"0.0.0.0"
IP Address to listen on.
listen_port*
int
Port to listen on.
log_type
string
splunk_tcp
Arbitrary for attribute 'log_type'. Useful for filtering between many log sources.
parse_format
enum
none
Method to use when parsing. Valid values are none, json, and regex. When regex is selected, 'Regex Pattern' must be set.
regex_pattern
string
The regex pattern used when parsing log entries.
multiline_line_start_pattern
string
Regex pattern that matches the beginning of a log entry, for handling multiline logs.
multiline_line_end_pattern
string
Regex pattern that matches the end of a log entry, useful for terminating parsing of multiline logs.
parse_timestamp
bool
false
Whether to parse the timestamp from the log entry.
timestamp_field
string
timestamp
The field containing the timestamp in the log entry.
parse_timestamp_format
enum
ISO8601
The format of the timestamp in the log entry. Choose a common format, or specify a custom format. Options include "ISO8601", "RFC3339", "Epoch", and "Manual".
epoch_timestamp_format
enum
s
The layout of the epoch-based timestamp. Required when parse_timestamp_format is set to "Epoch".. Options include "s", "ms", "us", "ns", "s.ms", "s.us", "s.ns".
manual_timestamp_format
string
'%Y-%m-%dT%H:%M:%S.%f%z'
The strptime layout of the timestamp. Used when parse_timestamp_format is set to "Manual".
timezone
timezone
UTC
The timezone to use if the Timestamp Format doesn't include a timezone. Otherwise, the timezone in the Timestamp Format will be respected. NOTE: This is also required to parse timezone abbreviations, due to their ambiguity.
parse_severity
bool
false
Whether to parse severity from the log entry.
severity_field
string
severity
The field containing the severity in the log entry.
parse_to
string
body
The field that the log will be parsed to. Some exporters handle logs favorably when parsed to attributes over body and vice versa.
enable_tls
bool
false
Whether or not to use TLS.
tls_certificate_path
string
Path to the TLS cert to use for TLS-required connections.
tls_private_key_path
string
Path to the TLS key to use for TLS-required connections.
tls_min_version
enum
"1.2"
The minimum TLS version to support. 1.0 and 1.1 should not be considered secure. Valid values include: 1.3, 1.2, 1.1, 1.0.
*required field
Kubernetes
The Splunk TCP source type supports Kubernetes Gateway collectors. Splunk forwarders can send logs to the collectors using the clusterIP services.
Prerequisites
Bindplane v1.46.0 or newer
Configuration
Add the Splunk TCP source to your Gateway collector configuration. Set "Listen Address" to 0.0.0.0 and Listen Port to 9997.
The Splunk forwarders should be configured to forward telemetry to bindplane-gateway-collector.bindplane-collector.svc.cluster.localon port 9997. If the Splunk forwarders live outside of the cluster, you must make the bindplane-gateway-collectorservice in the bindplane-collector namespace available using TCP ingress or by defining your own service that can receive traffic from outside of the cluster. See the Kubernetes service documentation for more information.
Below is an example Splunk forwarder outputs configuration.
[tcpout]
defaultGroup = bindplane-gateway-collector
[tcpout:bindplane-gateway-collector]
server = bindplane-gateway-collector.bindplane-collector.svc.cluster.local:9997
compressed = false
useACK = false
sendCookedData = falseLast updated
Was this helpful?