Skip to main content

Splunkhec Receiver

Status Available in: contrib Maintainers: @atoulme Source: opentelemetry-collector-contrib

Supported Telemetry

Logs Metrics

Overview

Configuration

The following settings are required:
  • endpoint (default = localhost:8088): Address and port that the Splunk HEC receiver should bind to.
See our security best practices doc to understand how to set the endpoint in different environments. The following settings are optional:
  • access_token_passthrough (default = false): Whether to preserve incoming access token (Splunk header value) as "com.splunk.hec.access_token" metric resource label. Can be used in tandem with identical configuration option for Splunk HEC exporter to preserve datapoint origin.
  • tls_settings (no default): This is an optional object used to specify if TLS should be used for incoming connections. Please consult configtls for the complete list of options available.
    • cert_file: Specifies the certificate file to use for TLS connection. Note: Both key_file and cert_file are required for TLS connection.
    • key_file: Specifies the key file to use for TLS connection. Note: Both key_file and cert_file are required for TLS connection.
  • raw_path (default = ‘/services/collector/raw’): The path accepting raw HEC events. Only applies when the receiver is used for logs.
  • splitting defines the splitting strategy used by the receiver when ingesting raw events. Can be set to “line” or “none”. Default is “line”.
  • health_path (default = ‘/services/collector/health’): The path reporting health checks.
  • hec_metadata_to_otel_attrs/source (default = ‘com.splunk.source’): Specifies the mapping of the source field to a specific unified model attribute.
  • hec_metadata_to_otel_attrs/sourcetype (default = ‘com.splunk.sourcetype’): Specifies the mapping of the sourcetype field to a specific unified model attribute.
  • hec_metadata_to_otel_attrs/index (default = ‘com.splunk.index’): Specifies the mapping of the index field to a specific unified model attribute.
  • hec_metadata_to_otel_attrs/host (default = ‘host.name’): Specifies the mapping of the host field to a specific unified model attribute.
  • ack (no default): defines the ackextension to use for acknowledging events
    • extension (no default): Specifies the ack extension ID the receiver should use. If left blank, ack is disabled.
    • path (default = ‘/services/collector/ack’): The path the ack extension will listen on for ack requests, if the extension is enabled.
Example: 
receivers:
  splunk_hec:
  splunk_hec/advanced:
    access_token_passthrough: true
    tls:
      cert_file: /test.crt
      key_file: /test.key
    raw_path: "/raw"
    hec_metadata_to_otel_attrs:
      source: "mysource"
      sourcetype: "mysourcetype"
      index: "myindex"
      host: "myhost"
    ack: 
      extension: ack/in_memory
The full list of settings exposed for this receiver are documented in config.go with detailed sample configurations in testdata/config.yaml.

Configuration

Example Configuration

splunk_hec:
splunk_hec/allsettings:
  # endpoint specifies the network interface and port which will receive
  # Splunk metrics.
  endpoint: localhost:8088
  access_token_passthrough: true
  raw_path: "/foo"
  splitting: "line"
  health_path: "/bar"
  hec_metadata_to_otel_attrs:
    source: "file.name"
    sourcetype: "foobar"
    index: "myindex"
    host: "myhostfield"
splunk_hec/tls:
  tls:
    cert_file: /test.crt
    key_file: /test.key
Last generated: 2026-04-13