otelcol.receiver.splunkhec
Public preview: This is a public preview component. Public preview components are subject to breaking changes, and may be replaced with equivalent functionality that cover the same use case. The
stability.levelflag must be set topublic-previewor below to use the component.
otelcol.receiver.splunkhec accepts events in the
Splunk HEC format and forwards them to other otelcol.* components.
The receiver accepts data formatted as JSON HEC events under any path or as EOL separated log raw data if sent to the raw_path path.
Note
otelcol.receiver.splunkhecis a wrapper over the upstream OpenTelemetry Collectorsplunkhecreceiver. Bug reports or feature requests will be redirected to the upstream repository, if necessary.
You can specify multiple otelcol.receiver.splunkhec components by giving them different labels.
Usage
otelcol.receiver.splunkhec "<LABEL>" {
output {
metrics = [...]
logs = [...]
}
}Arguments
You can use the following arguments with otelcol.receiver.splunkhec:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
access_token_passthrough | boolean | If enabled perserves incomming access token as a attribute com.splunk.hec.access_token | false | no |
auth | capsule(otelcol.Handler) | Handler from an otelcol.auth component to use for authenticating requests. | no | |
compression_algorithms | list(string) | A list of compression algorithms the server can accept. | ["", "gzip", "zstd", "zlib", "snappy", "deflate", "lz4"] | no |
endpoint | string | host:port to listen for traffic on. | "localhost:8088" | no |
health_path | string | The path reporting health checks. | /services/collector/health | no |
include_metadata | boolean | Propagate incoming connection metadata to downstream consumers. | no | |
max_request_body_size | string | Maximum request body size the server will allow. | 20MiB | no |
raw_path | string | The path accepting raw HEC events. Only applies when the receiver is used for logs. | /services/collector/raw | no |
splitting | string | Defines the splitting strategy used by the receiver when ingesting raw events. Can be set to “line” or “none”. | "line" | no |
By default, otelcol.receiver.splunkhec listens for HTTP connections on localhost:8088.
To expose the HTTP server to other machines on your network, configure endpoint with the IP address to listen on, or 0.0.0.0:8088 to listen on all network interfaces.
If access_token_passthrough is enabled it will be preserved as a attribute com.splunk.hec.access_token.
If logs or metrics are exported with otelcol.exporter.splunkhec it will check for this attribute and if present forward it with outgoing request.
Blocks
You can use the following blocks with otelcol.receiver.splunkhec:
| Block | Description | Required |
|---|---|---|
output | Configures where to send received telemetry data. | yes |
cors | Configures CORS for the HTTP server. | no |
[hec_metadata_to_otel_attrs][hec_metadata_to_otel_attrs] | Configures OpenTelemetry attributes from HEC metadata. | no |
debug_metrics | Configures the metrics that this component generates to monitor its state. | no |
tls | Configures TLS for the HTTP server. | no |
tls
The tls block configures TLS settings used for a server.
If the tls block isn’t provided, TLS isn’t used for connections to the server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
ca_file | string | Path to the CA file. | no | |
ca_pem | string | CA PEM-encoded text to validate the server with. | no | |
cert_file | string | Path to the TLS certificate. | no | |
cert_pem | string | Certificate PEM-encoded text for client authentication. | no | |
include_system_ca_certs_pool | boolean | Whether to load the system certificate authorities pool alongside the certificate authority. | false | no |
key_file | string | Path to the TLS certificate key. | no | |
key_pem | secret | Key PEM-encoded text for client authentication. | no | |
max_version | string | Maximum acceptable TLS version for connections. | "TLS 1.3" | no |
min_version | string | Minimum acceptable TLS version for connections. | "TLS 1.2" | no |
cipher_suites | list(string) | A list of TLS cipher suites that the TLS transport can use. | [] | no |
reload_interval | duration | The duration after which the certificate is reloaded. | "0s" | no |
client_ca_file | string | Path to the TLS cert to use by the server to verify a client certificate. | no | |
curve_preferences | list(string) | Set of elliptic curves to use in a handshake. | [] | no |
If reload_interval is set to "0s", the certificate never reloaded.
The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:
ca_pemandca_filecert_pemandcert_filekey_pemandkey_file
If cipher_suites is left blank, a safe default list is used.
Refer to the
Go Cipher Suites documentation for a list of supported cipher suites.
client_ca_file sets the ClientCA and ClientAuth to RequireAndVerifyClientCert in the TLSConfig.
Refer to the
Go TLS documentation for more information.
The curve_preferences argument determines the set of elliptic curves to prefer during a handshake in preference order.
If not provided, a default list is used.
The set of elliptic curves available are X25519, P521, P256, and P384.
cors
The cors block configures CORS settings for an HTTP server.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
allowed_headers | list(string) | Accepted headers from CORS requests. | ["X-Requested-With"] | no |
allowed_origins | list(string) | Allowed values for the Origin header. | no | |
max_age | number | Configures the Access-Control-Max-Age response header. | no |
The allowed_headers specifies which headers are acceptable from a CORS request.
The following headers are always implicitly allowed:
AcceptAccept-LanguageContent-TypeContent-Language
If allowed_headers includes "*", all headers are permitted.
hec_metadata_to_otel_attrs
The hec_metadata_to_otel_attrs block configures OpenTelemetry attributes from HEC metadata.
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
host | string | Specifies the mapping of the host field to a attribute. | host.name | no |
index | string | Specifies the mapping of the index field to a attribute. | com.splunk.index | no |
source | string | Specifies the mapping of the source field to a attribute. | com.splunk.source | no |
sourcetype | string | Specifies the mapping of the sourcetype field to a attribute. | com.splunk.sourcetype | no |
debug_metrics
The debug_metrics block configures the metrics that this component generates to monitor its state.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
disable_high_cardinality_metrics | boolean | Whether to disable certain high cardinality metrics. | true | no |
disable_high_cardinality_metrics is the Grafana Alloy equivalent to the telemetry.disableHighCardinalityMetrics feature gate in the OpenTelemetry Collector.
It removes attributes that could cause high cardinality metrics.
For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.
Note
If configured,
disable_high_cardinality_metricsonly applies tootelcol.exporter.*andotelcol.receiver.*components.
output
Required
The output block configures a set of components to forward resulting telemetry data to.
The following arguments are supported:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
logs | list(otelcol.Consumer) | List of consumers to send logs to. | [] | no |
metrics | list(otelcol.Consumer) | List of consumers to send metrics to. | [] | no |
You must specify the output block, but all its arguments are optional.
By default, telemetry data is dropped.
Configure the metrics and logs arguments accordingly to send telemetry data to other components.
Exported fields
otelcol.receiver.splunkhec doesn’t export any fields.
Component health
otelcol.receiver.splunkhec is only reported as unhealthy if given an invalid configuration.
Debug information
otelcol.receiver.splunkhec doesn’t expose any component-specific debug information.
Example
This example forwards received telemetry through a batch processor before finally sending it to an OTLP-capable endpoint:
otelcol.receiver.splunkhec "default" {
output {
logs = [otelcol.processor.batch.default.input]
metrics = [otelcol.processor.batch.default.input]
}
}
otelcol.processor.batch "default" {
output {
metrics = [otelcol.exporter.otlp.default.input]
traces = [otelcol.exporter.otlp.default.input]
}
}
otelcol.exporter.otlp "default" {
client {
endpoint = sys.env("<OTLP_ENDPOINT>")
}
}Enable authentication
You can create a otelcol.receiver.splunkhec component that requires authentication for requests. This is useful for limiting who can push data to the server.
Note
Not all OpenTelemetry Collector authentication plugins support receiver authentication. Refer to the documentation for each
otelcol.auth.*component to determine its compatibility.
otelcol.receiver.splunkhec "default" {
output {
logs = [otelcol.processor.batch.default.input]
metrics = [otelcol.processor.batch.default.input]
}
auth = otelcol.auth.basic.creds.handler
}
otelcol.auth.basic "creds" {
username = sys.env("<USERNAME>")
password = sys.env("<PASSWORD>")
}Compatible components
otelcol.receiver.splunkhec can accept arguments from the following components:
- Components that export
OpenTelemetry
otelcol.Consumer
Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.