> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chronosphere.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Splunk destination plugin
export const entity_0 = "Splunk destination plugin"
export const plugin_0 = "Splunk destination plugin"
The Splunk [destination plugin](/ingest/pipeline/plugins/destination-plugins)
(name: `splunk`, alias: `splunk_obs` or `splunk_siem`) lets you configure your
telemetry pipeline to send your telemetry data to Splunk.
## Supported telemetry types
The {plugin_0} for Chronosphere Telemetry Pipeline supports these telemetry types:
| Logs | Metrics | Traces |
| :----------------------------------------: | :----------------------------------------: | :-----------------------------: |
| | | |
## Configuration parameters
Use the parameters in this section to configure the {entity_0}. The
Telemetry Pipeline web interface uses the items in the **Name** column to
describe these parameters. [Pipeline configuration files](/ingest/pipeline/v2/configure/config-files)
use the items in the **Key** column as YAML keys.
### General
| Name | Key | Description | Default |
| --------------------- | -------------- | ------------------------------------------------------------------------------------ | ----------- |
| **Host** | `host` | Required. IP address or hostname of the target Splunk service. | `127.0.0.1` |
| **Port** | `port` | Required. TCP port of the target Splunk service. | `8088` |
| **Compress** | `compress` | Sets the payload compression mechanism. Accepted values: `gzip`, *none*. | *none* |
| **Splunk HTTP Token** | `splunk_token` | Required. Specifies the authentication token for the HTTP Event Collector interface. | *none* |
### Security and TLS
| Name | Key | Description | Default |
| ------------------------------ | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| **TLS** | `tls` | If `true`, enables TLS/SSL. If `false`, disables TLS/SSL. Accepted values: `true`, `false`. | `false` |
| **TLS Certificate Validation** | `tls.verify` | If `on`, and if `tls` is `true`, enables TLS/SSL certificate validation. If `off`, disables TLS/SSL certificate validation. Accepted values: `on`, `off`. | `on` |
| **TLS Debug Level** | `tls.debug` | Sets TLS debug verbosity level. Accepted values: `0` (No debug), `1` (Error), `2` (State change), `3` (Informational), `4` (Verbose). | `1` |
| **CA Certificate File Path** | `tls.ca_file` | Absolute path to CA certificate file. | *none* |
| **Certificate File Path** | `tls.crt_file` | Absolute path to certificate file. | *none* |
| **Private Key File Path** | `tls.key_file` | Absolute path to private key file. | *none* |
| **Private Key Path Password** | `tls.key_passwd` | Password for private key file. | *none* |
| **TLS SNI Hostname Extension** | `tls.vhost` | Hostname to be used for TLS SNI extension. | *none* |
### Advanced
| Name | Key | Description | Default |
| -------------------------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| **Splunk Channel** | `channel` | The `X-Splunk-Request-Channel` header to send to the HTTP Event Collector. | *none* |
| **Enable Splunk Send Raw** | `splunk_send_raw` | When enabled, the recorded keys and values are set in the top level of the map instead of under the event key. For more information, see [Raw events](#raw-events). Accepted values: `true`, `false`. | `false` |
| **Event Key** | `event_key` | Specifies the key name that will be used to send a single value as part of the record. | *none* |
| **Event Host** | `event_host` | Sets the host value to the event data. The value allows a record accessor pattern. | *none* |
| **Event Source** | `event_source` | Sets the source value to assign to the event data. | *none* |
| **Event Source Type** | `event_sourcetype` | Sets the `sourcetype` value to assign to the event data. | *none* |
| **Event Source Type Key** | `event_sourcetype_key` | Sets a record key that will populate `sourcetype`. If the key is found, it will have precedence over the value set in `event_sourcetype`. | *none* |
| **Event Index** | `event_index` | The name of the index by which the event data is to be indexed. | *none* |
| **Event Index Key** | `event_index_key` | Sets a record key that will populate the `index` field. If the key is found, it will have precedence over the value set in `event_index`. | *none* |
| **Event Field(s)** | `event_field` | Sets event fields for the record. This option can be set multiple times and the format is `key_name record_accessor_pattern`. | *none* |
| **Proxy** | `proxy` | Specifies an HTTP Proxy. The expected format of this value is `http://host:port`. HTTPS isn't supported. | *none* |
### Advanced Networking
| Name | Key | Description | Default |
| --------------------------------- | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| **DNS Mode** | `net.dns.mode` | Selects the primary DNS connection type, which can be `TCP` or `UDP`. | *none* |
| **DNS Resolver** | `net.dns.resolver` | Selects the primary DNS connection type, which can be `LEGACY` or `ASYNC`. | *none* |
| **Prefer IPv4** | `net.dns.prefer_ipv4` | Prioritizes IPv4 DNS results when trying to establish a connection. Accepted values: `true`, `false`. | `false` |
| **Keepalive** | `net.keepalive` | Enables or disables Keepalive support. Accepted values: `true`, `false`. | `true` |
| **Keepalive Idle Timeout** | `net.keepalive_idle_timeout` | Sets the maximum time allowed for an idle Keepalive connection. | `30s` |
| **Max Connect Timeout** | `net.connect_timeout` | Sets the maximum time allowed to establish a connection, which includes the TLS handshake. | `10s` |
| **Max Connect Timeout Log Error** | `net.connect_timeout_log_error` | Specifies whether to log an error on connection timeout. When disabled, the timeout is logged as a debug message. Accepted values: `true`, `false`. | `true` |
| **Source Address** | `net.source_address` | Specifies the network address to bind for data traffic. | *none* |
| **Max Keepalive Recycle** | `net.keepalive_max_recycle` | Sets the maximum number of times a keepalive connection can be used before it's retired. | `2000` |
### Basic Authentication
| Name | Key | Description | Default |
| ----------------- | ------------- | ---------------------------------------------------- | ------- |
| **HTTP Username** | `http_user` | Basic auth username. | *none* |
| **HTTP Password** | `http_passwd` | Basic auth password. Requires `http_user` to be set. | *none* |
### Debugging
| Name | Key | Description | Default |
| --------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| **HTTP Buffer Size** | `http_buffer_size` | Specifies the buffer size used to read the response from the Splunk HTTP service. This option is used for debugging purposes when it's required to read full responses. Response size grows depending of the number of records inserted. To set an unlimited amount of memory, set this value to `false`. Otherwise the value must be according to the Unit Size specification. | *none* |
| **Enable HTTP Debug Bad Request** | `http_debug_bad_request` | If the server returns an HTTP `400 Bad Request` status code and this flag is enabled, it will print the full HTTP request and response to the stdout interface. Used for debugging purposes. Accepted values: `true`, `false`. | `false` |
## Raw events
By default, the Splunk destination plugin sends data to the `/services/collector/event`
Splunk endpoint. However, if **Enable Splunk Send Raw** is enabled, this plugin
sends data to the `/services/collector/raw` endpoint instead.
The `/services/collector/raw` endpoint doesn't support nested fields in events, and also ignores
any settings defined in the **Event Field(s)** plugin parameter. Because of these limitations,
Chronosphere only recommends sending raw events in specific scenarios, like for machine
data or IoT device data. Additionally, you should only send raw events after you configure
Splunk to receive them accordingly.
For more information about sending raw events, see
the Splunk [Format events for HTTP Event Collector](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-collector/format-events-for-http-event-collector#Event_metadata)
documentation.