Free Report! Gartner® Hype Cycle™ for Monitoring and Observability.Read more

Splunk (TCP)

Supported Platforms

Kubernetes Gateway

Configuration Table

listen_ipstring""IP Address to listen on.
listen_port*intPort to listen on.
log_typestringsplunk_tcpArbitrary for attribute 'log_type'. Useful for filtering between many log sources.
parse_formatenumnoneMethod to use when parsing. Valid values are none, json, and regex. When regex is selected, 'Regex Pattern' must be set.
regex_patternstringThe regex pattern used when parsing log entries.
multiline_line_start_patternstringRegex pattern that matches the beginning of a log entry, for handling multiline logs.
multiline_line_end_patternstringRegex pattern that matches the end of a log entry, useful for terminating parsing of multiline logs.
parse_timestampboolfalseWhether to parse the timestamp from the log entry.
timestamp_fieldstringtimestampThe field containing the timestamp in the log entry.
parse_timestamp_formatenumISO8601The format of the timestamp in the log entry. Choose a common format, or specify a custom format. Options include "ISO8601", "RFC3339", "Epoch", and "Manual".
epoch_timestamp_formatenumsThe layout of the epoch-based timestamp. Required when parse_timestamp_format is set to "Epoch".. Options include "s", "ms", "us", "ns", "", "", "s.ns".
manual_timestamp_formatstring'%Y-%m-%dT%H:%M:%S.%f%z'The strptime layout of the timestamp. Used when parse_timestamp_format is set to "Manual".
timezonetimezoneUTCThe timezone to use if the Timestamp Format doesn't include a timezone. Otherwise, the timezone in the Timestamp Format will be respected. NOTE: This is also required to parse timezone abbreviations, due to their ambiguity.
parse_severityboolfalseWhether to parse severity from the log entry.
severity_fieldstringseverityThe field containing the severity in the log entry.
parse_tostringbodyThe field that the log will be parsed to. Some exporters handle logs favorably when parsed to attributes over body and vice versa.
enable_tlsboolfalseWhether or not to use TLS.
tls_certificate_pathstringPath to the TLS cert to use for TLS-required connections.
tls_private_key_pathstringPath to the TLS key to use for TLS-required connections.
tls_min_versionenum"1.2"The minimum TLS version to support. 1.0 and 1.1 should not be considered secure. Valid values include: 1.3, 1.2, 1.1, 1.0.
*required field


The Splunk TCP source type supports Kubernetes Gateway agents. Splunk forwarders can send logs to the agents using the clusterIP services.


  • BindPlane OP v1.46.0 or newer


Add the Splunk TCP source to your Gateway agent configuration. Set "Listen Address" to and Listen Port to 9997.

The Splunk forwarders should be configured to forward telemetry to bindplane-gateway-agent.bindplane-agent.svc.cluster.local on port 9997. If the Splunk forwarders live outside of the cluster, you must make the bindplane-gateway-agent service in the bindplane-agent namespace available using TCP ingress or by defining your own service that can receive traffic from outside of the cluster. See the Kubernetes service documentation for more information.

Below is an example Splunk forwarder outputs configuration.

2defaultGroup = bindplane-gateway-agent
5server = bindplane-gateway-agent.bindplane-agent.svc.cluster.local:9997
6compressed = false
7useACK = false
8sendCookedData = false