Splunk Destination Plugin

Example config #

kind: destination
spec:
  name: splunk
  path: cloudquery/splunk
  registry: cloudquery
  version: "v1.2.0"
  write_mode: "append"
  spec:
    # Splunk Cloud configuration parameters
    host: "${SPLUNK_HOST}"
    port: 8088
    hec_token: "${SPLUNK_HEC_TOKEN}"
    
    # Optional parameters
    # protocol: https
    # rest_port: 8089
    # session_key: "${SPLUNK_SESSION_KEY}
    # index: main
    # event_source: cloudquery
    # event_sourcetype: _json
    # concurrency: 16
    # batch_size: 1000
    # batch_size_bytes: 5242880

Splunk Spec #

• host (string) (optional) (default: "localhost")

  Host of the Splunk instance. Can be local or remote.
• port (integer) (optional) (default: 8088)

  Port of the Splunk instance.
• hec_token (string) (required)

  Splunk HEC token. Go to Settings -> Data Inputs -> HTTP Event Collector -> New Token to create a new token. https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector
• protocol (string) (optional) (default: https)

  Protocol for connecting to Splunk. Can be also specified in host.
• rest_port (integer) (optional) (default: 8089)

  REST API access port of the Splunk instance. Not used besides tests.
• session_key (string) (optional)

  Splunk session key used for rest API access. Not used besides test. Can be acquired for example by logging in using /services/auth/login Splunk endpoint
• index (string) (optional) (default: main)

  Splunk index to use for writing the events
• event_source (string) (optional) (default: cloudquery)

  The source field of events sent to Splunk will have this value
• event_sourcetype (string) (optional) (default: _json)

  Sourcetype field of events sent to Splunk will have this value
• batch_size (integer) (optional) (default: 3000)

  Maximum number of items in a batch that may be received by the plugin at a time.
• batch_size_bytes (integer) (optional) (default: 15728640 (15 MiB))

  Maximum size of items in a batch that may be received by the plugin at a time.
• max_concurrent_requests (integer) (optional) (default: 3)

  Maximum number of concurrent requests to the Splunk instance. Consider keeping the ratio batch_size / max_concurrent_requests around 1000, while keeping max_concurrent_requests as low as possible. Doing otherwise may result in increasingly high response times from the Splunk instance.