:::info The Splunk output is currently a technology preview. The design and implementation are less mature than stable features and subject to change. :::
The Splunk HEC output can be used to send records to or via the .
Specifies whether the Splunk output is enabled.
Valid Values
true, false
Default
false
Specifies whether the data will be sent using the Splunk Common Information Model (CIM).
Valid Values
true, false
Default
false
This setting specifies the Splunk servers to which the output should connect. It is a comma-separated list of Splunk nodes, including port number.
:::danger Do NOT include http:// or https:// in the provided value. TLS communications is enabled/disabled using EF_OUTPUT_SPLUNK_TLS_ENABLE. :::
Default
127.0.0.1:8088
The HTTP Event Collector token to use when sending records to Splunk.
Default
''
The maximum time, in milliseconds, to wait for a batch of records to fill before being sent to Splunk.
Default
2000
The maximum size, in bytes, for a batch of records being sent to Splunk.
Default
8388608
This setting is used to enable/disable TLS connections to Splunk.
Valid Values
true, false
Default
false
This setting is used to enable/disable TLS verification of the Splunk server to which the output is attempting to connect.
Valid Values
true, false
Default
false
The path to the Certificate Authority (CA) certificate to use for verification of the Splunk server to which the output is attempting to connect.
Default
''
This setting allows for a comma-separated list of fields that are to be removed from all records.
:::note Fields are dropped after any output specific fields have been added and after any schema conversion. This means that you should use the field names as you see them in the user interface. :::
Valid Values
any field names related to the enabled schema, comma-separated
Example
flow.export.sysuptime,flow.export.version.ver,flow.start.sysuptime,flow.end.sysuptime,flow.seq_num
Default
''