Configure Splunk HEC

The Log Export Container uses fluentd splunk hec output plugin. In order to enable it you need to specify LOG_EXPORT_CONTAINER_OUTPUT=splunk-hec and provide the following variables:

• SPLUNK_HEC_HOST. The hostname/IP for the HEC token or the HEC load balancer, for example: prd-p-xxxxx.splunkcloud.com
• SPLUNK_HEC_PORT. The port number for the HEC token or the HEC load balancer, for example: 8088
• SPLUNK_HEC_TOKEN. Identifier for the HEC token, for example: xxxxxxxx-yyyy-yyyy-yyyy-zzzzzzzzzzzz

IMPORTANT: SSL validation is disabled by default, you can pass different SSL Params overriding the builtin configuration as commented below

Plugin changes

The splunk output plugin supports multiple configurations. Please refer to output-splunk-hec.conf

In case you want to specify different parameters and customize the output plugin, you could download output-splunk-hec.conf, make your modifications, and pass the file to the container. For example:

docker run -p 5140:5140 \
  -v /path-to-your/output-splunk.conf:/fluentd/etc/output-splunk.conf \
  -e LOG_EXPORT_CONTAINER_INPUT=$LOG_EXPORT_CONTAINER_INPUT \
  -e LOG_EXPORT_CONTAINER_OUTPUT=splunk \
  -e SPLUNK_HEC_HOST=$SPLUNK_HEC_HOST \
  -e SPLUNK_HEC_PORT=$SPLUNK_HEC_PORT \
  -e SPLUNK_HEC_TOKEN=$SPLUNK_HEC_TOKEN log-export-container 

References

• Configure HTTP Event Collector on Splunk Cloud
• Can’t resolve hostname for HTTP Event Collector
• Why would I use the HTTP Event Collector when I can use TCP?