Splunk HEC is a streaming destination type. In a typical deployment, Cribl will be installed/co-located in a Splunk heavy forwarder and if this output is enabled it can send data out to a Splunk HEC destination thru the event endpoint.
While on Destinations screen, select Splunk HEC from the vertical menu, then click Add New:
- Output Id: Enter a unique name to identify this Splunk HEC destination definition.
- Splunk HEC Endpoint: URL to an Splunk HEC endpoint where to send events, e.g. http://myhost.example.com:8088/services/collector/event
- HEC Auth Token: Splunk HEC authentication token.
- Next Processing Queue: Specify the next Splunk processing queue to send the events after HEC processing. Defaults to indexQueue.
- . Default _TCP_ROUTING: Specify the value of
_TCP_ROUTINGfield for events that do not have
_ctrl._TCP_ROUTINGset. Defaults to
nowhere. Note: this is useful only when this data is expected to be further routed to another destination by the HEC receiver.
- Request Concurrency: Maximum number of ongoing requests before blocking. Defaults to 5.
- Max Body Size (KB): Maximum size, in KB, of the request body. Defaults to 4096.
- Flush Period (s): Maximum time between requests. This could cause the payload size to be smaller than max. Defaults to 1.
- Extra HTTP Headers: Name/Value pairs to pass as additional HTTP headers.
Then, click Save.
- Cribl will attempt to use keepalives to reuse a connection for multiple requests. After 2 minutes of the first use, the connection will be thrown away and a new one will be reattempted. This is to prevent sticking to a particular destination when there is a constant flow of events.
- If keepalives are not supported by the server (or if the server closes a pooled connection while idle) a new connection will be established for next request.
- When resolving destination's hostname Cribl will pick the first IP in the list for use in the next connection. Round-robin DNS would help with event balancing.