From 89f5b4db1d60a613fdde2dffd3d06c2c639285c5 Mon Sep 17 00:00:00 2001 From: May Lee Date: Tue, 16 Jun 2026 17:02:41 -0400 Subject: [PATCH 1/6] add metrics doc --- config/_default/menus/main.en.yaml | 2 +- .../destinations/_index.md | 2 +- .../destinations/splunk_hec/_index.md | 4 + .../{splunk_hec.md => splunk_hec/logs.md} | 20 ++--- .../destinations/splunk_hec/metrics.md | 90 +++++++++++++++++++ .../destination_env_vars/splunk_hec.en.md | 2 +- .../splunk_hec_secrets.en.md | 7 ++ 7 files changed, 111 insertions(+), 16 deletions(-) create mode 100644 content/en/observability_pipelines/destinations/splunk_hec/_index.md rename content/en/observability_pipelines/destinations/{splunk_hec.md => splunk_hec/logs.md} (85%) create mode 100644 content/en/observability_pipelines/destinations/splunk_hec/metrics.md create mode 100644 layouts/shortcodes/observability_pipelines/splunk_hec_secrets.en.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index a835a18c00d..7ccaff42184 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -6844,7 +6844,7 @@ menu: identifier: observability_pipelines_socket weight: 421 - name: Splunk HEC - url: observability_pipelines/destinations/splunk_hec + url: observability_pipelines/destinations/splunk_hec/logs/ parent: observability_pipelines_destinations identifier: observability_pipelines_splunk_hec weight: 422 diff --git a/content/en/observability_pipelines/destinations/_index.md b/content/en/observability_pipelines/destinations/_index.md index c06f7f6f54f..b6fbb03d08f 100644 --- a/content/en/observability_pipelines/destinations/_index.md +++ b/content/en/observability_pipelines/destinations/_index.md @@ -62,7 +62,7 @@ These are the available destinations: [16]: /observability_pipelines/destinations/opensearch/ [17]: /observability_pipelines/destinations/sentinelone/ [18]: /observability_pipelines/destinations/socket/ -[19]: /observability_pipelines/destinations/splunk_hec/ +[19]: /observability_pipelines/destinations/splunk_hec/logs/ [20]: /observability_pipelines/destinations/sumo_logic_hosted_collector/ [21]: /observability_pipelines/destinations/syslog/ [22]: /observability_pipelines/destinations/amazon_s3/ diff --git a/content/en/observability_pipelines/destinations/splunk_hec/_index.md b/content/en/observability_pipelines/destinations/splunk_hec/_index.md new file mode 100644 index 00000000000..0a233772bb4 --- /dev/null +++ b/content/en/observability_pipelines/destinations/splunk_hec/_index.md @@ -0,0 +1,4 @@ +--- +title: Splunk HEC +type: multi-code-lang +--- \ No newline at end of file diff --git a/content/en/observability_pipelines/destinations/splunk_hec.md b/content/en/observability_pipelines/destinations/splunk_hec/logs.md similarity index 85% rename from content/en/observability_pipelines/destinations/splunk_hec.md rename to content/en/observability_pipelines/destinations/splunk_hec/logs.md index ecc720bdac0..7ebaa6fd0b9 100644 --- a/content/en/observability_pipelines/destinations/splunk_hec.md +++ b/content/en/observability_pipelines/destinations/splunk_hec/logs.md @@ -1,14 +1,14 @@ --- title: Splunk HTTP Event Collector (HEC) Destination +description: Learn how to set up the Splunk HEC destination for logs in Observability Pipelines. disable_toc: false -products: -- name: Logs - icon: logs - url: /observability_pipelines/configuration/?tab=logs#pipeline-types +aliases: +- /observability_pipelines/destinations/splunk_hec/ +code_lang: logs +type: multi-code-lang +weight: 1 --- -{{< product-availability >}} - ## Overview Use Observability Pipelines' Splunk HTTP Event Collector (HEC) destination to send logs to Splunk HEC. @@ -63,13 +63,7 @@ Select the **Encoding** in the dropdown menu (**JSON** or **Raw**). {{< tabs >}} {{% tab "Secrets Management" %}} -- Splunk HEC token identifier: - - References the Splunk HEC token for the Splunk indexer. - - The default identifier is `DESTINATION_SPLUNK_HEC_TOKEN`. -- Splunk HEC endpoint URL identifier: - - References the Splunk HTTP Event Collector endpoint your Observability Pipelines Worker sends processed logs to. For example, `https://hec.splunkcloud.com:8088`. - - **Note**: `/services/collector/event` path is automatically appended to the endpoint. - - The default identifier is `DESTINATION_SPLUNK_HEC_ENDPOINT_URL`. +{{% observability_pipelines/splunk_hec_secrets %}} {{% /tab %}} diff --git a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md new file mode 100644 index 00000000000..317f39ff795 --- /dev/null +++ b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md @@ -0,0 +1,90 @@ +--- +title: Splunk HTTP Event Collector (HEC) Destination +description: Learn how to set up the Splunk HEC destination for metrics in Observability Pipelines. +disable_toc: false +code_lang: metrics +type: multi-code-lang +weight: 2 +--- + +## Overview + +Use Observability Pipelines' Splunk HTTP Event Collector (HEC) destination to send metrics to Splunk HEC. + +## Setup + +Configure the Splunk HEC destination when you [set up a pipeline][1]. You can set up a pipeline in the [UI][3], using the [API][4], or with [Terraform][5]. The steps in this section are configured in the UI. + +
For Secrets Management: Only enter the identifiers for the Splunk HEC token, endpoint, and if applicable, the TLS key pass. Do not enter the actual values.
+ +{{% observability_pipelines/secrets_env_var_note %}} + +After you select the Splunk HEC destination in the pipeline UI: + +1. Enter the identifier for your token. If you leave it blank, the [default](#secret-defaults) is used. +1. Enter the identifier for your endpoint URL. If you leave it blank, the [default](#secret-defaults) is used. + +### Optional settings + +#### Default namespace + +Enter a default namespace. + +#### Compression + +If you want to compress your metrics with gzip, select **gzip** in the dropdown menu. The default compression is **None**. + +#### Splunk index + +Enter the name of the Splunk index you want your data in. This has to be an allowed index for your HEC. See [template syntax][6] if you want to route metrics to different indexes based on specific fields in your metrics. + +#### Source + +Enter a source field and value if you want them added to your metrics. + +#### Source type override + +Set the `sourcetype` to override Splunk's default value, which is `httpevent` for HEC data. See [template syntax][6] if you want to route metrics to different source types based on specific fields in your metrics. + +#### Buffering + +{{% observability_pipelines/destination_buffer %}} + +#### Enable TLS + +{{% observability_pipelines/tls_settings %}} + +## Secret defaults + +{{% observability_pipelines/set_secrets_intro %}} + +{{< tabs >}} +{{% tab "Secrets Management" %}} + +{{% observability_pipelines/splunk_hec_secrets %}} + +{{% /tab %}} + +{{% tab "Environment Variables" %}} + +{{% observability_pipelines/configure_existing_pipelines/destination_env_vars/splunk_hec %}} + +{{% /tab %}} +{{< /tabs >}} + +### How the destination works + +#### Event batching + +A batch of events is flushed when one of these parameters is met. See [event batching][2] for more information. + +| Maximum Events | Maximum Size (MB) | Timeout (seconds) | +|----------------|-------------------|---------------------| +| TKTK | TKTK | TKTK | + +[1]: /observability_pipelines/configuration/set_up_pipelines/ +[2]: /observability_pipelines/destinations/#event-batching +[3]: https://app.datadoghq.com/observability-pipelines +[4]: /api/latest/observability-pipelines/ +[5]: https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/observability_pipeline +[6]: /observability_pipelines/destinations/#template-syntax \ No newline at end of file diff --git a/layouts/shortcodes/observability_pipelines/configure_existing_pipelines/destination_env_vars/splunk_hec.en.md b/layouts/shortcodes/observability_pipelines/configure_existing_pipelines/destination_env_vars/splunk_hec.en.md index f775154f6fa..82e4f75b57e 100644 --- a/layouts/shortcodes/observability_pipelines/configure_existing_pipelines/destination_env_vars/splunk_hec.en.md +++ b/layouts/shortcodes/observability_pipelines/configure_existing_pipelines/destination_env_vars/splunk_hec.en.md @@ -2,6 +2,6 @@ - The Splunk HEC token for the Splunk indexer. **Note**: Depending on your shell and environment, you may not want to wrap your environment variable in quotes. - The default environment variable is `DD_OP_DESTINATION_SPLUNK_HEC_TOKEN`. - Base URL of the Splunk instance: - - The Splunk HTTP Event Collector endpoint your Observability Pipelines Worker sends processed logs to. For example, `https://hec.splunkcloud.com:8088`. + - The Splunk HTTP Event Collector endpoint your Observability Pipelines Worker sends processed data to. For example, `https://hec.splunkcloud.com:8088`. **Note**: `/services/collector/event` path is automatically appended to the endpoint. - The default environment variable is `DD_OP_DESTINATION_SPLUNK_HEC_ENDPOINT_URL`. \ No newline at end of file diff --git a/layouts/shortcodes/observability_pipelines/splunk_hec_secrets.en.md b/layouts/shortcodes/observability_pipelines/splunk_hec_secrets.en.md new file mode 100644 index 00000000000..7bb52750be9 --- /dev/null +++ b/layouts/shortcodes/observability_pipelines/splunk_hec_secrets.en.md @@ -0,0 +1,7 @@ +- Splunk HEC token identifier: + - References the Splunk HEC token for the Splunk indexer. + - The default identifier is `DESTINATION_SPLUNK_HEC_TOKEN`. +- Splunk HEC endpoint URL identifier: + - References the Splunk HTTP Event Collector endpoint your Observability Pipelines Worker sends processed data to. For example, `https://hec.splunkcloud.com:8088`. + - **Note**: `/services/collector/event` path is automatically appended to the endpoint. + - The default identifier is `DESTINATION_SPLUNK_HEC_ENDPOINT_URL`. \ No newline at end of file From 2e195153e872186bcca56cc44f9911180f7fb77c Mon Sep 17 00:00:00 2001 From: May Lee Date: Tue, 16 Jun 2026 17:05:34 -0400 Subject: [PATCH 2/6] add external redirect --- .../en/observability_pipelines/destinations/splunk_hec/_index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/observability_pipelines/destinations/splunk_hec/_index.md b/content/en/observability_pipelines/destinations/splunk_hec/_index.md index 0a233772bb4..d59a419fa88 100644 --- a/content/en/observability_pipelines/destinations/splunk_hec/_index.md +++ b/content/en/observability_pipelines/destinations/splunk_hec/_index.md @@ -1,4 +1,5 @@ --- title: Splunk HEC type: multi-code-lang +external_redirect: /observability_pipelines/destinations/splunk_hec/logs/ --- \ No newline at end of file From 777c113f13aca9fde5b41d917b2294e5f568b2c2 Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 17 Jun 2026 13:09:42 -0400 Subject: [PATCH 3/6] add index info --- .../destinations/splunk_hec/metrics.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md index 317f39ff795..8d64f9bd30a 100644 --- a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md +++ b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md @@ -15,6 +15,10 @@ Use Observability Pipelines' Splunk HTTP Event Collector (HEC) destination to se Configure the Splunk HEC destination when you [set up a pipeline][1]. You can set up a pipeline in the [UI][3], using the [API][4], or with [Terraform][5]. The steps in this section are configured in the UI. +**Notes**: +- The Splunk index you send your metrics to must be a metrics index. If you send them to an events index, you can't view the metrics in Splunk using any metrics type queries, such as `mcatalog` and `mstats`. +- If you don't attach your index to the Splunk authentication token you are using for Observability Pipelines, you must enter the name of the [index](#splunk-index) when you set up the destination. +
For Secrets Management: Only enter the identifiers for the Splunk HEC token, endpoint, and if applicable, the TLS key pass. Do not enter the actual values.
{{% observability_pipelines/secrets_env_var_note %}} @@ -36,11 +40,13 @@ If you want to compress your metrics with gzip, select **gzip** in the dropdown #### Splunk index -Enter the name of the Splunk index you want your data in. This has to be an allowed index for your HEC. See [template syntax][6] if you want to route metrics to different indexes based on specific fields in your metrics. +Enter the name of the Splunk metrics index to which you are sending metrics. See [template syntax][6] if you want to route metrics to different indexes based on specific fields in your metrics. + +**Note**: This **Index** field is only optional if you have an index attached to the Splunk authentication token you are using for Observability Pipelines. Otherwise, you must enter the name of the Splunk index to which you want to send metrics. #### Source -Enter a source field and value if you want them added to your metrics. +Enter a source value if you want the source field added to your metrics. #### Source type override From dd4747418dc025ed7f249ca8d2e509c2e238f0c1 Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 17 Jun 2026 15:20:41 -0400 Subject: [PATCH 4/6] add batching --- .../observability_pipelines/destinations/splunk_hec/metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md index 8d64f9bd30a..ef9a03e4f8d 100644 --- a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md +++ b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md @@ -86,7 +86,7 @@ A batch of events is flushed when one of these parameters is met. See [event bat | Maximum Events | Maximum Size (MB) | Timeout (seconds) | |----------------|-------------------|---------------------| -| TKTK | TKTK | TKTK | +| None | 1 | 1 | [1]: /observability_pipelines/configuration/set_up_pipelines/ [2]: /observability_pipelines/destinations/#event-batching From 79f75bcefd0846cffd18bdce270c3e7d9ed890a8 Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 17 Jun 2026 15:21:07 -0400 Subject: [PATCH 5/6] small edit --- .../observability_pipelines/destinations/splunk_hec/metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md index ef9a03e4f8d..7d24063616e 100644 --- a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md +++ b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md @@ -86,7 +86,7 @@ A batch of events is flushed when one of these parameters is met. See [event bat | Maximum Events | Maximum Size (MB) | Timeout (seconds) | |----------------|-------------------|---------------------| -| None | 1 | 1 | +| None | 1 | 1 | [1]: /observability_pipelines/configuration/set_up_pipelines/ [2]: /observability_pipelines/destinations/#event-batching From 52b6aa3bfac5825f58c400c29f6ca9e1992d5470 Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 17 Jun 2026 15:28:49 -0400 Subject: [PATCH 6/6] small edit --- .../observability_pipelines/destinations/splunk_hec/metrics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md index 7d24063616e..744a700cd50 100644 --- a/content/en/observability_pipelines/destinations/splunk_hec/metrics.md +++ b/content/en/observability_pipelines/destinations/splunk_hec/metrics.md @@ -42,7 +42,7 @@ If you want to compress your metrics with gzip, select **gzip** in the dropdown Enter the name of the Splunk metrics index to which you are sending metrics. See [template syntax][6] if you want to route metrics to different indexes based on specific fields in your metrics. -**Note**: This **Index** field is only optional if you have an index attached to the Splunk authentication token you are using for Observability Pipelines. Otherwise, you must enter the name of the Splunk index to which you want to send metrics. +**Note**: This **Index** field is only optional if you have an index attached to the Splunk authentication token you are using for Observability Pipelines. Otherwise, you must enter the name of the Splunk metrics index. #### Source