|
1 | 1 | # Splunk (HTTP HEC) |
2 | 2 |
|
3 | | -The **splunk** input plugin handles [Splunk HTTP HEC](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector) requests. |
| 3 | +The _Splunk_ input plugin handles [Splunk HTTP HEC](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector) requests. |
4 | 4 |
|
5 | | -## Configuration Parameters |
| 5 | +## Configuration parameters |
6 | 6 |
|
7 | | -| **Key** | Description | default | |
8 | | -|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|---------| |
9 | | -| listen | The address to listen on | 0.0.0.0 | |
10 | | -| port | The port for Fluent Bit to listen on | 9880 | |
11 | | -| tag_key | Specify the key name to overwrite a tag. If set, the tag will be overwritten by a value of the key. | | |
12 | | -| buffer_max_size | Specify the maximum buffer size in KB to receive a JSON message. | 4M | |
13 | | -| buffer_chunk_size | This sets the chunk size for incoming JSON messages. These chunks are then stored/managed in the space available by buffer_max_size. | 512K | |
14 | | -| successful_response_code | It allows to set successful response code. `200`, `201` and `204` are supported. | 201 | |
15 | | -| splunk\_token | Specify a Splunk token for HTTP HEC authentication. If multiple tokens are specified (with commas and no spaces), usage will be divided across each of the tokens. | | |
16 | | -| store\_token\_in\_metadata | Store Splunk HEC tokens in the Fluent Bit metadata. If set false, they will be stored as normal key-value pairs in the record data. | true | |
17 | | -| splunk\_token\_key | Use the specified key for storing the Splunk token for HTTP HEC. This is only effective when `store_token_in_metadata` is false. | @splunk_token | |
18 | | -| Threaded | Indicates whether to run this input in its own [thread](../../administration/multithreading.md#inputs). | `false` | |
| 7 | +This plugin uses the following configuration parameters: |
19 | 8 |
|
20 | | -## Getting Started |
| 9 | +| Key | Description | Default | |
| 10 | +| --- | ----------- | ------- | |
| 11 | +| `listen` | The address to listen on. | `0.0.0.0` | |
| 12 | +| `port` | The port for Fluent Bit to listen on. | `9880` | |
| 13 | +| `tag_key` | Specify the key name to overwrite a tag. If set, the tag will be overwritten by a value of the key. | _none_ | |
| 14 | +| `buffer_max_size` | Specify the maximum buffer size in KB to receive a JSON message. | `4M` | |
| 15 | +| `buffer_chunk_size` | This sets the chunk size for incoming JSON messages. These chunks are then stored and managed in the space available by `buffer_max_size`. | `512K` | |
| 16 | +| `successful_response_code` | Set the successful response code. Allowed values: `200`, `201`, and `204` | `201` | |
| 17 | +| `splunk_token` | Specify a Splunk token for HTTP HEC authentication. If multiple tokens are specified (with commas and no spaces), usage will be divided across each of the tokens. | _none_ | |
| 18 | +| `store_token_in_metadata` | Store Splunk HEC tokens in the Fluent Bit metadata. If set to `false`, tokens will be stored as normal key-value pairs in the record data. | `true` | |
| 19 | +| `splunk_token_key` | Use the specified key for storing the Splunk token for HTTP HEC. Use only when `store_token_in_metadata` is `false`. | `@splunk_token` | |
| 20 | +| `Threaded` | Indicates whether to run this input in its own [thread](../../administration/multithreading.md#inputs). | `false` | |
21 | 21 |
|
22 | | -In order to start performing the checks, you can run the plugin from the command line or through the configuration file. |
| 22 | +## Get started |
23 | 23 |
|
24 | | -#### How to set tag |
| 24 | +To start performing the checks, you can run the plugin from the command line or through the configuration file. |
| 25 | + |
| 26 | +### Set a tag |
25 | 27 |
|
26 | 28 | The tag for the Splunk input plugin is set by adding the tag to the end of the request URL by default. |
27 | 29 | This tag is then used to route the event through the system. |
28 | | -The default behavior of the splunk input sets the tags for the following endpoints: |
| 30 | +The default behavior of the Splunk input sets the tags for the following endpoints: |
29 | 31 |
|
30 | | -* `/services/collector` |
31 | | -* `/services/collector/event` |
32 | | -* `/services/collector/raw` |
| 32 | +- `/services/collector` |
| 33 | +- `/services/collector/event` |
| 34 | +- `/services/collector/raw` |
33 | 35 |
|
34 | 36 | The requests for these endpoints are interpreted as `services_collector`, `services_collector_event`, and `services_collector_raw`. |
35 | 37 |
|
36 | | -If you want to use the other tags for multiple instantiating input splunk plugin, you have to specify `tag` property on the each of splunk plugin configurations to prevent collisions of data pipeline. |
| 38 | +To use the other tags for multiple instantiating input Splunk plugins, you must specify the `tag` property on each Splunk plugin configuration to prevent data pipeline collisions. |
37 | 39 |
|
38 | | -### Command Line |
| 40 | +### Command line |
39 | 41 |
|
40 | 42 | From the command line you can configure Fluent Bit to handle HTTP HEC requests with the following options: |
41 | 43 |
|
42 | 44 | ```bash |
43 | | -$ fluent-bit -i splunk -p port=8088 -o stdout |
| 45 | +fluent-bit -i splunk -p port=8088 -o stdout |
44 | 46 | ``` |
45 | 47 |
|
46 | | -### Configuration File |
| 48 | +### Configuration file |
47 | 49 |
|
48 | | -In your main configuration file append the following _Input_ & _Output_ sections: |
| 50 | +In your main configuration file append the following sections: |
49 | 51 |
|
50 | 52 | ```python |
51 | 53 | [INPUT] |
|
0 commit comments