diff --git a/Content/Guides/syslog-ng-guide-admin/splunk-hec-event.htm b/Content/Guides/syslog-ng-guide-admin/splunk-hec-event.htm new file mode 100644 index 000000000..fa4244ed9 --- /dev/null +++ b/Content/Guides/syslog-ng-guide-admin/splunk-hec-event.htm @@ -0,0 +1,65 @@ + + + + + + + + + +

splunk-hec-event: Sending log messages to Splunk HEC

+

From version 4.2, it is possible to send messages to the Splunk HTTP Event Collector(HEC).

+
Prerequisites
+ +

For more information, see Set up and use HTTP Event Collector in Splunk Web.

+
HEC events API
+

The splunk-hec-event() destination feeds Splunk through the HEC Events API.

+

Minimal configuration:

+

+ 

destination d_splunk_hec_event {
+  splunk-hec-event(
+    url("https://localhost:8088")
+    token("70b6ae71-76b3-4c38-9597-0c5b37ad9630")
+  );
+};
+

+

Additional options:

+

+ 

event()
+index()
+source()
+sourcetype()
+host()
+time()
+default-index()
+default-source()
+default-sourcetype()
+fields()
+extra-headers()
+extra-queries()
+content-type()
+

+

event() accepts a template, that defines the content of the log message sent to Splunk. Default value: ${MSG}

+

index(), source(), host(), and time() accept templates, and define the respective fields for each log message based on the set template.

+

default-index(), default-source(), and default-sourcetype() accept literal strings, and are used as fallback values if a log message doesn’t set these fields. These values are passed to the URL as query parameters, so they don’t inflate the body of the HTTP request for each message in the batch, which saves bandwidth.

+

fields() accepts a template, that is forwarded as additional indexing metadata to Splunk.

+

extra-headers(), extra-queries(), and content-type() are additional HTTP request options.

+
HEC raw API
+

The splunk-hec-raw() destination feeds Splunk via the HEC raw API.

+

Minimal configuration:

+

+ 

destination d_splunk_hec_raw {
+  splunk-hec-raw(
+    url("https://localhost:8088")
+    token("70b6ae71-76b3-4c38-9597-0c5b37ad9630")
+    channel("05ed4617-f186-4ccd-b4e7-08847094c8fd")
+  );
+};
+

+

The options of the splunk-hec-raw() destination are similar to the splunk-hec-event() destination, however, the channel() option is mandatory. The channel() option must be a globally unique channel identifier (GUID), this ID differentiates the data from different clients. Note that Splunk does not generate this ID, you must create it for yourself. When Splunk sees a new channel identifier, it creates a new channel.

+

Use the template() option to set the content of the log message sent to Splunk. Avoid using the event() option, that is used in the splunk-hec-event() destination.

+ + \ No newline at end of file diff --git a/Content/Guides/syslog-ng-guide-admin/syslog-ng-with-splunk.htm b/Content/Guides/syslog-ng-guide-admin/syslog-ng-with-splunk.htm index 2ebc81bc9..5716120a2 100644 --- a/Content/Guides/syslog-ng-guide-admin/syslog-ng-with-splunk.htm +++ b/Content/Guides/syslog-ng-guide-admin/syslog-ng-with-splunk.htm @@ -19,6 +19,6 @@

Splunk: Sending log messages to Splunk

-

Note that the application has a dedicated Splunk destination. For details, see splunk-hec: Sending messages to Splunk HTTP Event Collector.

+

Note that from version 4.2.0, has a dedicated Splunk destination. For details, see splunk-hec-event: Sending log messages to Splunk HEC.

\ No newline at end of file diff --git a/Project/TOCs/syslog-ng-ose-guide-admin.fltoc b/Project/TOCs/syslog-ng-ose-guide-admin.fltoc index 258860ba8..58183d3c6 100644 --- a/Project/TOCs/syslog-ng-ose-guide-admin.fltoc +++ b/Project/TOCs/syslog-ng-ose-guide-admin.fltoc @@ -794,7 +794,11 @@ + +