Splunk (TCP)
Supported Platforms
| Platform | Metrics | Logs | Traces |
|---|---|---|---|
| Linux | ✓ | ||
| Windows | ✓ | ||
| macOS | ✓ | ||
| Kubernetes Gateway | ✓ |
Configuration Table
| Parameter | Type | Default | Description |
|---|---|---|---|
| listen_ip | string | "0.0.0.0" | IP Address to listen on. |
| listen_port* | int | Port to listen on. | |
| log_type | string | splunk_tcp | Arbitrary for attribute 'log_type'. Useful for filtering between many log sources. |
| parse_format | enum | none | Method to use when parsing. Valid values are none, json, and regex. When regex is selected, 'Regex Pattern' must be set. |
| regex_pattern | string | The regex pattern used when parsing log entries. | |
| multiline_line_start_pattern | string | Regex pattern that matches the beginning of a log entry, for handling multiline logs. | |
| multiline_line_end_pattern | string | Regex pattern that matches the end of a log entry, useful for terminating parsing of multiline logs. | |
| parse_timestamp | bool | false | Whether to parse the timestamp from the log entry. |
| timestamp_field | string | timestamp | The field containing the timestamp in the log entry. |
| parse_timestamp_format | enum | ISO8601 | The format of the timestamp in the log entry. Choose a common format, or specify a custom format. Options include "ISO8601", "RFC3339", "Epoch", and "Manual". |
| epoch_timestamp_format | enum | s | The layout of the epoch-based timestamp. Required when parse_timestamp_format is set to "Epoch".. Options include "s", "ms", "us", "ns", "s.ms", "s.us", "s.ns". |
| manual_timestamp_format | string | '%Y-%m-%dT%H:%M:%S.%f%z' | The strptime layout of the timestamp. Used when parse_timestamp_format is set to "Manual". |
| timezone | timezone | UTC | The timezone to use if the Timestamp Format doesn't include a timezone. Otherwise, the timezone in the Timestamp Format will be respected. NOTE: This is also required to parse timezone abbreviations, due to their ambiguity. |
| parse_severity | bool | false | Whether to parse severity from the log entry. |
| severity_field | string | severity | The field containing the severity in the log entry. |
| parse_to | string | body | The field that the log will be parsed to. Some exporters handle logs favorably when parsed to attributes over body and vice versa. |
| enable_tls | bool | false | Whether or not to use TLS. |
| tls_certificate_path | string | Path to the TLS cert to use for TLS-required connections. | |
| tls_private_key_path | string | Path to the TLS key to use for TLS-required connections. | |
| tls_min_version | enum | "1.2" | The minimum TLS version to support. 1.0 and 1.1 should not be considered secure. Valid values include: 1.3, 1.2, 1.1, 1.0. |
Kubernetes
The Splunk TCP source type supports Kubernetes Gateway agents. Splunk forwarders can send logs to the agents using the clusterIP services.
Prerequisites
- BindPlane OP v1.46.0 or newer
Configuration
Add the Splunk TCP source to your Gateway agent configuration. Set "Listen Address" to 0.0.0.0 and
Listen Port to 9997.
The Splunk forwarders should be configured to forward telemetry to bindplane-gateway-agent.bindplane-agent.svc.cluster.local
on port 9997. If the Splunk forwarders live outside of the cluster, you must make the bindplane-gateway-agent
service in the bindplane-agent namespace available using TCP ingress or by defining your own service
that can receive traffic from outside of the cluster. See the Kubernetes service documentation for more information.
Below is an example Splunk forwarder outputs configuration.