Splunk HEC Sink Node
The splunkhecsink node forwards pipeline records to Splunk via the HTTP Record Collector (HEC) in batches.
Records are grouped into batches and sent to the HEC endpoint as JSON records. Each record can be tagged with a Splunk index, sourcetype, and source. Token-based authentication is required via an API-key credential. TLS certificate validation is enabled by default.
Key Features
- Batch forwarding: groups records into HEC requests for efficient Splunk ingestion
- Token-based authentication: HEC token stored as an API-key credential in
jobContext.otherProperties - Per-record tagging: assign
index,sourcetype, andsourceto every record sent - Configurable SSL verification: disable TLS certificate validation for self-signed dev clusters
Configuration
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
hecUrl | String | Yes | — | Full HEC endpoint URL (e.g. https://splunk.example.com:8088/services/collector/event) |
credentialId | String | Yes | — | ID of the API-key credential in jobContext.otherProperties holding the HEC token. |
index | String | No | — | Target Splunk index. Omit to use the default index configured on the HEC token. |
sourcetype | String | No | — | Value assigned to each record's sourcetype field (e.g. _json) |
source | String | No | — | Value assigned to each record's source field (e.g. fleak) |
verifySsl | Boolean | No | true | Validate the Splunk endpoint's TLS certificate. Disable only for self-signed dev clusters. |
batchSize | Integer | No | 500 | Records sent per HEC request |
Credential Setup
The HEC token is stored as an API-key credential in jobContext.otherProperties. The key of the credential is the raw HEC token string issued by Splunk (found under Settings > Data Inputs > HTTP Event Collector in the Splunk UI).
Example jobContext entry:
jobContext:
otherProperties:
splunk-hec-token:
key: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Set credentialId: "splunk-hec-token" in the sink config to reference it.
DAG Example
jobContext:
otherProperties:
splunk-hec-token:
key: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
metricTags: {}
dlqConfig:
dag:
- id: "source"
commandName: "stdin"
config:
encodingType: "JSON_OBJECT"
outputs:
- "sink"
- id: "sink"
commandName: "splunkhecsink"
config:
hecUrl: "https://splunk.example.com:8088/services/collector/record"
credentialId: "splunk-hec-token"
index: "main"
sourcetype: "_json"
source: "fleak"
batchSize: 500
Related Nodes
- kafkasink: Publish pipeline records to Apache Kafka topics
- elasticsearchsink: Index pipeline records into Elasticsearch