# Splunk (TCP) ### Supported Platforms | Platform | Metrics | Logs | Traces | | ------------------ | ------- | ---- | ------ | | Linux | | ✓ | | | Windows | | ✓ | | | macOS | | ✓ | | | Kubernetes Gateway | | ✓ | | | OpenShift Gateway | | ✓ | | ### Configuration Table

Parameter	Type	Default	Description
listen_ip	`string`	"0.0.0.0"	IP Address to listen on.
listen_port*	`int`		Port to listen on.
log_type	`string`	splunk_tcp	Arbitrary for attribute 'log_type'. Useful for filtering between many log sources.
parse_format	`enum`	none	Method to use when parsing. Valid values are `none`, `json`, and `regex`. When regex is selected, 'Regex Pattern' must be set.
regex_pattern	`string`		The regex pattern used when parsing log entries.
multiline_line_start_pattern	`string`		Regex pattern that matches the beginning of a log entry, for handling multiline logs.
multiline_line_end_pattern	`string`		Regex pattern that matches the end of a log entry, useful for terminating parsing of multiline logs.
parse_timestamp	`bool`	false	Whether to parse the timestamp from the log entry.
timestamp_field	`string`	timestamp	The field containing the timestamp in the log entry.
parse_timestamp_format	`enum`	ISO8601	The format of the timestamp in the log entry. Choose a common format, or specify a custom format. Options include "ISO8601", "RFC3339", "Epoch", and "Manual".
epoch_timestamp_format	`enum`	s	The layout of the epoch-based timestamp. Required when parse_timestamp_format is set to "Epoch".. Options include "s", "ms", "us", "ns", "s.ms", "s.us", "s.ns".
manual_timestamp_format	`string`	'%Y-%m-%dT%H:%M:%S.%f%z'	The strptime layout of the timestamp. Used when parse_timestamp_format is set to "Manual".
timezone	`timezone`	UTC	The timezone to use if the Timestamp Format doesn't include a timezone. Otherwise, the timezone in the Timestamp Format will be respected. NOTE: This is also required to parse timezone abbreviations, due to their ambiguity.
parse_severity	`bool`	false	Whether to parse severity from the log entry.
severity_field	`string`	severity	The field containing the severity in the log entry.
parse_to	`string`	body	The field that the log will be parsed to. Some exporters handle logs favorably when parsed to `attributes` over `body` and vice versa.
enable_tls	`bool`	false	Whether or not to use TLS.
tls_certificate_path	`string`		Path to the TLS cert to use for TLS-required connections.
tls_private_key_path	`string`		Path to the TLS key to use for TLS-required connections.
tls_min_version	`enum`	"1.2"	The minimum TLS version to support. 1.0 and 1.1 should not be considered secure. Valid values include: `1.3`, `1.2`, `1.1`, `1.0`.

\**required field* ### Kubernetes The Splunk TCP source type supports Kubernetes Gateway collectors. Splunk forwarders can send logs to the collectors using the clusterIP services. #### Prerequisites * Bindplane v1.46.0 or newer #### Configuration Add the Splunk TCP source to your Gateway collector configuration. Set "Listen Address" to `0.0.0.0` and Listen Port to `9997`. The Splunk forwarders should be configured to forward telemetry to `bindplane-gateway-collector.bindplane-collector.svc.cluster.local`on port `9997`. If the Splunk forwarders live outside of the cluster, you must make the `bindplane-gateway-collector`service in the `bindplane-collector` namespace available using TCP ingress or by defining your own service that can receive traffic from outside of the cluster. See the Kubernetes [service documentation](https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/) for more information. Below is an example Splunk forwarder outputs configuration. ```ini [tcpout] defaultGroup = bindplane-gateway-collector [tcpout:bindplane-gateway-collector] server = bindplane-gateway-collector.bindplane-collector.svc.cluster.local:9997 compressed = false useACK = false sendCookedData = false ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bindplane.com/integrations/sources/splunk-tcp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.